1、部署postgres-sonar数据使用pvc存储。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres-sonar
  namespace: service-tools
  labels:
    app: postgres-sonar
spec:
  replicas: 1
  selector:
    matchLabels:
      app: postgres-sonar
  template:
    metadata:
      labels:
        app: postgres-sonar
    spec:
      containers:
      - name: postgres-sonar
        image: postgres:11.4
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 5432
        env:
        - name: POSTGRES_DB
          value: "sonarDB"
        - name: POSTGRES_USER
          value: "sonarUser"
        - name: POSTGRES_PASSWORD 
          value: "123456"
        resources:
          limits:
            cpu: 1000m
            memory: 2048Mi
          requests:
            cpu: 500m
            memory: 1024Mi
        volumeMounts:
          - name: postgres-data
            mountPath: /var/lib/postgresql/data
      volumes:
        - name: postgres-data
          persistentVolumeClaim:
            claimName: nas-service-tools-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: postgres-sonar
  namespace: service-tools
  labels:
    app: postgres-sonar
spec:
  clusterIP: None
  ports:
  - port: 5432
    protocol: TCP
    targetPort: 5432
  selector:
    app: postgres-sonar

2、部署SonarQube服务。

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: sonarqube
  name: sonarqube
  namespace: service-tools
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sonarqube
  template:
    metadata:
      labels:
        app: sonarqube
    spec:
      containers:
        - env:
            - name: SONARQUBE_JDBC_USERNAME
              value: sonarUser
            - name: SONARQUBE_JDBC_PASSWORD
              value: '123456'
            - name: SONARQUBE_JDBC_URL
              value: 'jdbc:postgresql://postgres-sonar:5432/sonarDB'
          image: 'sonarqube:lts'
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /sessions/new
              port: 9000
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 1
          name: sonarqube
          ports:
            - containerPort: 9000
              protocol: TCP
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /sessions/new
              port: 9000
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            limits:
              cpu: '2'
              memory: 2048M
            requests:
              cpu: '1'
              memory: 1024M
          volumeMounts:
            - mountPath: /opt/sonarqube/conf
              name: sonarqube-data
            - mountPath: /opt/sonarqube/data
              name: sonarqube-data
            - mountPath: /opt/sonarqube/extensions
              name: sonarqube-data
      initContainers:
        - command:
            - sysctl
            - '-w'
            - vm.max_map_count=262144
          image: 'busybox:latest'
          imagePullPolicy: IfNotPresent
          name: init-sysctl
          resources: {}
          securityContext:
            privileged: true
      volumes:
        - name: sonarqube-data
          persistentVolumeClaim:
            claimName: nas-sq-service-tools-pvc
 
---
apiVersion: v1
kind: Service
metadata:
  name: sonarqube
  namespace: service-tools
  labels:
    app: sonarqube
spec:
  selector:
    app: sonarqube
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9000
  type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: sonarqube-alb-ingress
  namespace: service-tools
spec:
  ingressClassName: nginx-alb
  rules:
    - host: sonarqube.域名
      http:
        paths:
          - backend:
              service:
                name: sonarqube
                port:
                  number: 80
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - sonarqube.域名
      secretName: 证书名-city-tls

3、通过域名登录SonarQube平台,默认账号密码:admin/admin

在应用中安装(Chinese Pack)中文插件包

4、通过下载sonar-scanner包,去审计代码。

https://binaries.sonarsource.com/?prefix=Distribution/sonar-scanner-cli/

下载完sonar-scanner包解压到指定文件夹,配置sonar-scanner.properties文件。

cat sonar-scanner/conf/sonar-scanner.properties 
#Configure here general information about the environment, such as SonarQube server connection details for example
#No information about specific project should appear here

#----- Default SonarQube server
sonar.host.url=https://sonarqube.域名

#----- Default source code encoding
sonar.sourceEncoding=UTF-8

5、使用方案。

密钥生成

SonarQube部署到k8s_代码审计

#sonarqube代码审计
/sonar-scanner/bin/sonar-scanner -Dsonar.login=生成的密钥 -Dsonar.projectname=${JOB_NAME} -Dsonar.projectKey=${JOB_NAME} -Dsoanr.sources=./ -Dsonar.java.binaries=./target/

#sonarqube代码审计
#sonarqube代码审计
/sonar-scanner/bin/sonar-scanner   #sonar-scanner路径
-Dsonar.login=生成的密钥           #SonarQube平台生成的密钥
-Dsonar.projectname=${JOB_NAME} 
-Dsonar.projectKey=${JOB_NAME} 
-Dsoanr.sources=./                 #代码的位置
-Dsonar.java.binaries=./target/    #编出包的位置