WPB-23896: Handle SonarQube yaml alerts#5160
Conversation
zebot
added
the
ok-to-test
| data: | ||
| ca.pem: {{ include "tlsCaBrig" . | b64enc | quote }} | ||
| {{- end}} | ||
| ca.pem: {{ include "tlsCaBrig" . | b64enc | quote }} |
There was a problem hiding this comment.
why is indentation increased from 2 to 3 spaces here?
(and also many other places)
There was a problem hiding this comment.
My yaml formatter is a bit brittle, thanks, fixed.
There was a problem hiding this comment.
this file does not render correctly
There was a problem hiding this comment.
What do you mean precisely?
There was a problem hiding this comment.
I just mean that there was an error during rendering:
Error: parse error at (wire-server/charts/nginz/templates/configmap.yaml:6): undefined variable "$nginx_conf"
There was a problem hiding this comment.
It does not there's not $nginx_conf, how do you get this error?
There was a problem hiding this comment.
I haven't done it for this branch, but you could helm template the chart with --set-string "foo=bar" for the missing values Helm will scream for.
There was a problem hiding this comment.
I cannot find which arguments to give to evaluate this file :/
There was a problem hiding this comment.
helm template test charts/nginz \
--set secrets.zAuth.publicKeys="test-key=test-value" \
--set secrets.basicAuth="user:pass"
The values don't really matter. But, the keys need to be defined
There was a problem hiding this comment.
Thanks, no more parse error
| memory: "128Mi" | ||
| cpu: "1" | ||
| limits: | ||
| memory: "512Mi" |
There was a problem hiding this comment.
are these values actually used?
There was a problem hiding this comment.
I don't think so. The resources are defined here:
| {{- include "outlook.labels" . | nindent 4 }} | ||
| spec: | ||
| replicas: 3 | ||
| automountServiceAccountToken: false |
There was a problem hiding this comment.
This is in the deployment spec but should be in the pod spec instead.
charts/restund/values.yaml
Outdated
| resources: | ||
| requests: | ||
| memory: "256Mi" | ||
| cpu: "100m" | ||
| limits: | ||
| memory: "512Mi" | ||
|
|
There was a problem hiding this comment.
I'm wondering if we're still using restund (predecessor of coturn) at all 🤔
I'll try to figure that out.
There was a problem hiding this comment.
It's unused can will be deleted with https://wearezeta.atlassian.net/browse/WPB-24485 .
IMHO we can ignore it for now (and e.g. add an exclusion to Sonar).
There was a problem hiding this comment.
Dropped and ignored
changelog.d/5-internal/WPB-23896
Outdated
| Fixed SonarQube Helm template formatting, variable naming, and resource/RBAC issues in charts/: | ||
|
|
||
| ## Template Formatting (kubernetes:S6893) - 15 issues | ||
| - charts/wire-server/templates/background-worker/configmap.yaml: Added whitespace after "{{" on lines 107, 110 | ||
| - charts/wire-server/templates/gundeck/configmap.yaml: Added whitespace after "{{" on lines 51, 62 | ||
| - charts/wire-server/templates/galley/configmap.yaml: Added whitespace before "}}" on line 88 | ||
| - charts/wire-server/templates/gundeck/deployment.yaml: Added whitespace before "}}" on line 52 | ||
| - charts/wire-server/templates/brig/tests/brig-integration.yaml: Added whitespace before "}}" on lines 51, 56, 122 | ||
| - charts/wire-server/templates/gundeck/tests/gundeck-integration.yaml: Added whitespace before "}}" on line 20 | ||
| - charts/wire-server/templates/spar/tests/spar-integration.yaml: Added whitespace before "}}" on line 23 | ||
| - charts/cassandra-migrations/templates/cassandra-certs.yaml: Added whitespace before "}}" on lines 18, 37, 56, 75 | ||
| - charts/elasticsearch-index/templates/elasticsearch-ca-secret.yaml: Added whitespace after "{{" on line 5 | ||
| - charts/nginx-ingress-services/templates/issuer.yaml: Added whitespace after "{{" and before "}}" on lines 6, 23, 32 | ||
|
|
||
| ## Variable Naming (kubernetes:S117) - 4 issues | ||
| - charts/nginz/templates/configmap.yaml: Renamed variables to match camelCase convention: | ||
| - $nginx_conf -> $nginxConf | ||
| - $external_env_domain -> $externalEnvDomain | ||
| - $deeplink_json -> $deeplinkJson | ||
| - $deeplink_html -> $deeplinkHtml | ||
| Updated all references accordingly | ||
|
|
||
| ## Resource Limits/Requests - 6 issues | ||
| - charts/outlook-addin/templates/deployment.yaml: Added resources block with memory limit and memory/cpu requests | ||
| - charts/restund/values.yaml: Added resources block with memory/cpu limits and requests | ||
| - charts/k8ssandra-test-cluster/values.yaml: Added resources block with memory/cpu limits and requests | ||
| - charts/backoffice/templates/tests/stern-integration.yaml: Added memory limit to existing resources | ||
| - charts/wire-server/values.yaml: Added ephemeral-storage requests to background-worker and wire-server-enterprise resources | ||
|
|
||
| ## Service Account RBAC (kubernetes:S6865) - 5 issues | ||
| - charts/wire-server/templates/cargohold/deployment.yaml: Added automountServiceAccountToken: false | ||
| - charts/restund/templates/statefulset.yaml: Added automountServiceAccountToken: false | ||
| - charts/outlook-addin/templates/deployment.yaml: Added automountServiceAccountToken: false | ||
| - charts/k8ssandra-test-cluster/templates/check-cluster-job.yaml: Added automountServiceAccountToken: false | ||
| - charts/backoffice/templates/tests/stern-integration.yaml: Added automountServiceAccountToken: false |
There was a problem hiding this comment.
this was helpful for reviewing, but I think it is too much when added to the changelog.
I think it would be better if we put these in the PR description, make the changelog itself much shorter.
There was a problem hiding this comment.
Yeah, I'm agreeing with @battermann . Operators probably don't care about renaming variables.
However, the Resource Limits/Requests might be interesting beyond internal. Maybe, add a sentence in another changelog category?
| requests: | ||
| memory: "200Mi" | ||
| cpu: "100m" | ||
| ephemeral-storage: "1Gi" |
There was a problem hiding this comment.
wire-server-enterprise doesn't seem to use any storage. 🤔
What's the goal of this change?
| # NOTE: this secret doesnt need to be created, it only gets a name with this | ||
| privateKeySecretRef: | ||
| name: {{ include "nginx-ingress-services.getIssuerName" . -}}-account-key | ||
| name: {{ include "nginx-ingress-services.getIssuerName" . }}-account-key |
There was a problem hiding this comment.
What was wrong with the -? I thought, this is killing whitespace to the right? 🤔
| resources: | ||
| requests: | ||
| memory: "128Mi" | ||
| cpu: "100m" | ||
| limits: | ||
| memory: "256Mi" |
There was a problem hiding this comment.
I have to admit that I know almost nothing about the outlook-addin.
I'm wondering where these numbers come from / how they have been choosen?
There was a problem hiding this comment.
Me neither, do we have monitoring on that, so I can have real-world values?
charts/wire-server/values.yaml
Outdated
| requests: | ||
| memory: "200Mi" | ||
| cpu: "100m" | ||
| ephemeral-storage: "1Gi" |
There was a problem hiding this comment.
Does the background-worker need storage? 🤔
| "helm.sh/hook-delete-policy": hook-succeeded,hook-failed | ||
| type: Opaque | ||
| data: | ||
| data: |
There was a problem hiding this comment.
Is this indentation intended?
There was a problem hiding this comment.
Actually, this applies to most indentations in this file.
| {{- if and (hasKey .Values.nginx_conf "deeplink") (hasKey .Values.nginx_conf "external_env_domain") }} | ||
| {{- $backendURL := .Values.nginx_conf.deeplink.endpoints.backendURL }} | ||
| {{- $deeplink_json := $backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.json" }} | ||
| {{- $deeplink_html := $backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.html" }} | ||
| {{ $deeplink_json }}: | | ||
| {{- $deeplinkJson := .Values.nginx_conf.deeplink.endpoints.backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.json" }} | ||
| {{- $deeplinkHtml := .Values.nginx_conf.deeplink.endpoints.backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.html" }} |
There was a problem hiding this comment.
Can't we use the alias $nginxConf here?
| <html> | ||
| <head></head> | ||
| <head> | ||
| <title>Deeplink for {{ .Values.nginx_conf.deeplink.endpoints.backendURL }}</title> |
There was a problem hiding this comment.
Same here: There's an alias on .Values.nginx_conf ($nginxConf).
| type: Opaque | ||
| data: |
There was a problem hiding this comment.
This is YAML. We unfortunately have to be careful with indentation 😅
These two indents probably slipped through?
4 participants
https://wearezeta.atlassian.net/browse/WPB-23896
Checklist
changelog.d