1、部署postgres-sonar数据使用pvc存储。

apiVersion: apps/v1
kind: Deployment
metadata:name: postgres-sonarnamespace: service-toolslabels:app: postgres-sonar
spec:replicas: 1selector:matchLabels:app: postgres-sonartemplate:metadata:labels:app: postgres-sonarspec:containers:- name: postgres-sonarimage: postgres:11.4imagePullPolicy: IfNotPresentports:- containerPort: 5432env:- name: POSTGRES_DBvalue: "sonarDB"- name: POSTGRES_USERvalue: "sonarUser"- name: POSTGRES_PASSWORD value: "123456"resources:limits:cpu: 1000mmemory: 2048Mirequests:cpu: 500mmemory: 1024MivolumeMounts:- name: postgres-datamountPath: /var/lib/postgresql/datavolumes:- name: postgres-datapersistentVolumeClaim:claimName: nas-service-tools-pvc
---
apiVersion: v1
kind: Service
metadata:name: postgres-sonarnamespace: service-toolslabels:app: postgres-sonar
spec:clusterIP: Noneports:- port: 5432protocol: TCPtargetPort: 5432selector:app: postgres-sonar
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.

2、部署SonarQube服务。

apiVersion: apps/v1
kind: Deployment
metadata:labels:app: sonarqubename: sonarqubenamespace: service-tools
spec:replicas: 1selector:matchLabels:app: sonarqubetemplate:metadata:labels:app: sonarqubespec:containers:- env:- name: SONARQUBE_JDBC_USERNAMEvalue: sonarUser- name: SONARQUBE_JDBC_PASSWORDvalue: '123456'- name: SONARQUBE_JDBC_URLvalue: 'jdbc:postgresql://postgres-sonar:5432/sonarDB'image: 'sonarqube:lts'imagePullPolicy: IfNotPresentlivenessProbe:failureThreshold: 3httpGet:path: /sessions/newport: 9000scheme: HTTPinitialDelaySeconds: 60periodSeconds: 30successThreshold: 1timeoutSeconds: 1name: sonarqubeports:- containerPort: 9000protocol: TCPreadinessProbe:failureThreshold: 6httpGet:path: /sessions/newport: 9000scheme: HTTPinitialDelaySeconds: 60periodSeconds: 30successThreshold: 1timeoutSeconds: 1resources:limits:cpu: '2'memory: 2048Mrequests:cpu: '1'memory: 1024MvolumeMounts:- mountPath: /opt/sonarqube/confname: sonarqube-data- mountPath: /opt/sonarqube/dataname: sonarqube-data- mountPath: /opt/sonarqube/extensionsname: sonarqube-datainitContainers:- command:- sysctl- '-w'- vm.max_map_count=262144image: 'busybox:latest'imagePullPolicy: IfNotPresentname: init-sysctlresources: {}securityContext:privileged: truevolumes:- name: sonarqube-datapersistentVolumeClaim:claimName: nas-sq-service-tools-pvc---
apiVersion: v1
kind: Service
metadata:name: sonarqubenamespace: service-toolslabels:app: sonarqube
spec:selector:app: sonarqubeports:- protocol: TCPport: 80targetPort: 9000type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: sonarqube-alb-ingressnamespace: service-tools
spec:ingressClassName: nginx-albrules:- host: sonarqube.域名http:paths:- backend:service:name: sonarqubeport:number: 80path: /pathType: Prefixtls:- hosts:- sonarqube.域名secretName: 证书名-city-tls
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
  • 74.
  • 75.
  • 76.
  • 77.
  • 78.
  • 79.
  • 80.
  • 81.
  • 82.
  • 83.
  • 84.
  • 85.
  • 86.
  • 87.
  • 88.
  • 89.
  • 90.
  • 91.
  • 92.
  • 93.
  • 94.
  • 95.
  • 96.
  • 97.
  • 98.
  • 99.
  • 100.
  • 101.
  • 102.
  • 103.
  • 104.
  • 105.
  • 106.
  • 107.
  • 108.
  • 109.
  • 110.
  • 111.
  • 112.
  • 113.
  • 114.
  • 115.
  • 116.
  • 117.
  • 118.
  • 119.
  • 120.

3、通过域名登录SonarQube平台,默认账号密码:admin/admin

在应用中安装(Chinese Pack)中文插件包

4、通过下载sonar-scanner包,去审计代码。

 https://binaries.sonarsource.com/?prefix=Distribution/sonar-scanner-cli/

下载完sonar-scanner包解压到指定文件夹,配置sonar-scanner.properties文件。

cat sonar-scanner/conf/sonar-scanner.properties 
#Configure here general information about the environment, such as SonarQube server connection details for example
#No information about specific project should appear here#----- Default SonarQube server
sonar.host.url=https://sonarqube.域名#----- Default source code encoding
sonar.sourceEncoding=UTF-8
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.

5、使用方案。

密钥生成

SonarQube部署到k8s_代码审计

#sonarqube代码审计
/sonar-scanner/bin/sonar-scanner -Dsonar.login=生成的密钥 -Dsonar.projectname=${JOB_NAME} -Dsonar.projectKey=${JOB_NAME} -Dsoanr.sources=./ -Dsonar.java.binaries=./target/#sonarqube代码审计
#sonarqube代码审计
/sonar-scanner/bin/sonar-scanner   #sonar-scanner路径
-Dsonar.login=生成的密钥           #SonarQube平台生成的密钥
-Dsonar.projectname=${JOB_NAME} 
-Dsonar.projectKey=${JOB_NAME} 
-Dsoanr.sources=./                 #代码的位置
-Dsonar.java.binaries=./target/    #编出包的位置
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.