SONAR-25554 Add validation for jwtSecret and existingJwtSecret values

Author: alain-kermis-sonarsource

.cirrus/generate_helm_fixtures.sh

@@ -22,7 +22,7 @@ for path in "sonarqube" "sonarqube-dce"; do
         FIXTURE_STATIC_TEST_FOLDER="./tests/unit-compatibility-test/fixtures/${path}/${TEST_CASE_NAME}"
 
         echo "Entering fixture test for ${TEST_CASE_NAME}"
-        helm template --set monitoringPasscode='test' --set global.postgresql.postgresqlPostgresPassword='toto' --kube-version "$KUBE_VERSION" --dry-run --debug -f "$file" "${TEST_CASE_NAME}" ${CHART_TEST_FOLDER} > "${FIXTURE_STATIC_TEST_FOLDER}"
+        helm template --set monitoringPasscode='test'  --set applicationNodes.jwtSecret='some-secret' --set global.postgresql.postgresqlPostgresPassword='toto' --kube-version "$KUBE_VERSION" --dry-run --debug -f "$file" "${TEST_CASE_NAME}" ${CHART_TEST_FOLDER} > "${FIXTURE_STATIC_TEST_FOLDER}"
         echo "Ending fixture test test for ${TEST_CASE_NAME}"
     done
 

.cirrus/unit_helm_compatibility_test.sh

@@ -29,6 +29,7 @@ for file in "${STATIC_TEST_FOLDER}"/*; do
         --dry-run \
         --debug \
         --set monitoringPasscode='test' \
+        --set applicationNodes.jwtSecret='some-secret' \
         -f "${file}" "${TEST_CASE_NAME}" "${CHART_PATH}" \
     | kubeconform \
         --kubernetes-version "${KUBE_VERSION}" \

charts/sonarqube-dce/CHANGELOG.md

@@ -5,6 +5,7 @@ All changes to this chart will be documented in this file.
 * Update Chart's version to 2025.4.0
 * Upgrade nginx subchart to 4.12.3
 * Support Kubernetes v1.33
+* Added validation to ensure that either the `applicationNodes.jwtSecret` or `applicationNodes.jwtExistingSecret` value is set
 
 ## [2025.3.0]
 * Update Chart's version to 2025.3.0

charts/sonarqube-dce/Chart.yaml

@@ -31,6 +31,8 @@ annotations:
       description: "Upgrade nginx subchart to 4.12.3"
     - kind: changed
       description: "Support Kubernetes v1.33"
+    - kind: added
+      description: "Added validation to ensure that either the applicationNodes.jwtSecret or applicationNodes.jwtExistingSecret value is set"
   artifacthub.io/links: |
     - name: support
       url: https://community.sonarsource.com/

charts/sonarqube-dce/templates/validation.yaml

@@ -1,3 +1,9 @@
+{{/* Validation for monitoring passcode */}}
 {{- if or (and (not .Values.monitoringPasscode) (not .Values.monitoringPasscodeSecretName) (not .Values.monitoringPasscodeSecretKey)) (and (not .Values.monitoringPasscodeSecretName) .Values.monitoringPasscodeSecretKey) (and .Values.monitoringPasscodeSecretName (not .Values.monitoringPasscodeSecretKey)) -}}
 {{- fail "\n ** The values.yaml file is not valid. ** \n Please provide a passcode either setting \"monitoringPasscode\" or \"monitoringPasscodeSecretName\" and \"monitoringPasscodeSecretKey\"" -}}
 {{- end -}}
+
+{{/* Validation for jwtSecret and existingJwtSecret (XOR check) */}}
+{{- if or (and .Values.ApplicationNodes.jwtSecret .Values.ApplicationNodes.existingJwtSecret) (and (not .Values.ApplicationNodes.jwtSecret) (not .Values.ApplicationNodes.existingJwtSecret)) -}}
+{{- fail "\n ** The values.yaml file is not valid. ** \n You must set a value for either \"jwtSecret\" or \"existingJwtSecret\", but not both." -}}
+{{- end -}}

tests/dynamic-compatibility-test/sonarqube-dce/all-values.yaml

@@ -26,6 +26,7 @@ searchNodes:
 ApplicationNodes:
   sonarProperties:
     sonar.log.level: DEBUG
+  jwtSecret: someSecret
 
 # tests/unit-compatibility-test/sonarqube-dce/ingress-values.yaml
 ingress:

tests/unit-compatibility-test/fixtures/sonarqube-dce/application-values.yaml

@@ -76,7 +76,7 @@ metadata:
     heritage: Helm
 type: Opaque
 data:
-  SONAR_AUTH_JWTBASE64HS256SECRET: ""
+  SONAR_AUTH_JWTBASE64HS256SECRET: "c29tZS1zZWNyZXQ="
 ---
 # Source: sonarqube-dce/templates/secret.yaml
 ---
@@ -402,7 +402,7 @@ spec:
       annotations:
         checksum/plugins: 65d56aea10ed1c0cd6fca52fa0b1119e172bb86bb859739187c1eb364cb09f26
         checksum/config: 52aa90e008d21e2b9dd209b41439f963c6560e7a63594c99030221a63b787a8d
-        checksum/secret: 1e41674c1cc90202f3ed6d4efccc7dc485a6d2334dd4e1e5c83271f6f3b30a9c
+        checksum/secret: 01dcab2809732b9cc414a6fc196fe7549c340721454577fe75b3cd7340630b11
     spec:
       automountServiceAccountToken: false
       initContainers:
@@ -771,7 +771,7 @@ spec:
         checksum/init-sysctl: abb3cec82532ac72ec508ff713f4348a67ebc0250ff6c84dd74514c2ecefba2a
         checksum/init-fs: 42db87ee4aad1d5bed387840b22747c74a26dc96794f91e1e52d48756fd58c2d
         checksum/config: 52aa90e008d21e2b9dd209b41439f963c6560e7a63594c99030221a63b787a8d
-        checksum/secret: 1e41674c1cc90202f3ed6d4efccc7dc485a6d2334dd4e1e5c83271f6f3b30a9c
+        checksum/secret: 01dcab2809732b9cc414a6fc196fe7549c340721454577fe75b3cd7340630b11
     spec:
       automountServiceAccountToken: false
       initContainers:

tests/unit-compatibility-test/fixtures/sonarqube-dce/ca-certificates-configmap.yaml

@@ -76,7 +76,7 @@ metadata:
     heritage: Helm
 type: Opaque
 data:
-  SONAR_AUTH_JWTBASE64HS256SECRET: ""
+  SONAR_AUTH_JWTBASE64HS256SECRET: "c29tZS1zZWNyZXQ="
 ---
 # Source: sonarqube-dce/templates/secret.yaml
 ---
@@ -419,7 +419,7 @@ spec:
       annotations:
         checksum/plugins: 5e4cfa308393c7ca89f120b028dd53cf70d38bb377ea3a33423e5fb74edfcdc6
         checksum/config: ba70acaa0a7181daf62e5f4dbdc41b1300512b11ea795f4901aede87df9105da
-        checksum/secret: 70247c2dbe7d96b834e275fbce23f2b30beadb66d83f9168fde1151c01e9956d
+        checksum/secret: 166c32a438d7226e9499c3706b63e38caf6f5dad4ba8358b4b9746971a0d989d
     spec:
       automountServiceAccountToken: false
       initContainers:
@@ -860,7 +860,7 @@ spec:
         checksum/init-sysctl: b3cdd18fe1febdb4e7de8a5e729ab44e8cd2e5a2dd042031ac4c9a5d1e29f8b5
         checksum/init-fs: ea5f89376cf540cc7f3dd8d8c04431da798ea0480dc4558e570a3db41f740541
         checksum/config: ba70acaa0a7181daf62e5f4dbdc41b1300512b11ea795f4901aede87df9105da
-        checksum/secret: 70247c2dbe7d96b834e275fbce23f2b30beadb66d83f9168fde1151c01e9956d
+        checksum/secret: 166c32a438d7226e9499c3706b63e38caf6f5dad4ba8358b4b9746971a0d989d
     spec:
       automountServiceAccountToken: false
       initContainers:

tests/unit-compatibility-test/fixtures/sonarqube-dce/ca-certificates-secret.yaml

@@ -76,7 +76,7 @@ metadata:
     heritage: Helm
 type: Opaque
 data:
-  SONAR_AUTH_JWTBASE64HS256SECRET: ""
+  SONAR_AUTH_JWTBASE64HS256SECRET: "c29tZS1zZWNyZXQ="
 ---
 # Source: sonarqube-dce/templates/secret.yaml
 ---
@@ -403,7 +403,7 @@ spec:
       annotations:
         checksum/plugins: 02ed19b642943e663f38735420eb71a86a72bc8decf121e5dee94fe6bd0a2e93
         checksum/config: a6b7f0fd2ac14026c8a6411fe253bcaecd9c9a1df808ff506fb53af6d72385e6
-        checksum/secret: 3becd5d31be9df39332441d3fd675b9f0f92cba26a8cf489bbc7b195a54fe9c6
+        checksum/secret: e9b03728d46108380e928ac3b261daff37a38fb55d73ba80bc12190e5f11ae51
     spec:
       automountServiceAccountToken: false
       initContainers:
@@ -799,7 +799,7 @@ spec:
         checksum/init-sysctl: 22cc1c844c39540f63da86297054685b42f1a7b30f5724a3ac1dc7c87f7343f1
         checksum/init-fs: 7e710847fac552e19060ee83d35d1f18d09a367ddee33f17b1fa5fc4942b834c
         checksum/config: a6b7f0fd2ac14026c8a6411fe253bcaecd9c9a1df808ff506fb53af6d72385e6
-        checksum/secret: 3becd5d31be9df39332441d3fd675b9f0f92cba26a8cf489bbc7b195a54fe9c6
+        checksum/secret: e9b03728d46108380e928ac3b261daff37a38fb55d73ba80bc12190e5f11ae51
     spec:
       automountServiceAccountToken: false
       initContainers:

tests/unit-compatibility-test/fixtures/sonarqube-dce/change-admin-password-hook-values.yaml

@@ -76,7 +76,7 @@ metadata:
     heritage: Helm
 type: Opaque
 data:
-  SONAR_AUTH_JWTBASE64HS256SECRET: ""
+  SONAR_AUTH_JWTBASE64HS256SECRET: "c29tZS1zZWNyZXQ="
 ---
 # Source: sonarqube-dce/templates/secret.yaml
 apiVersion: v1
@@ -416,7 +416,7 @@ spec:
       annotations:
         checksum/plugins: fba434ce910a0bb523913cbfe9ab0e2b422cab6cc534bb62c78d2b2beed9fe42
         checksum/config: 40e1d013116c1b57a1b296e5a5de956c79bfd4c5de73d4ca9fcd783ad1bba5ec
-        checksum/secret: 7dbef8d9b088aceee1c55756efe66344220c03fbd0727bd254b3571e06b65769
+        checksum/secret: 640b684f0291cc17fb4e3822b55cb3e8a739e012ec8b81461eff0fda6057c60f
     spec:
       automountServiceAccountToken: false
       initContainers:
@@ -785,7 +785,7 @@ spec:
         checksum/init-sysctl: a5ac379545dd2307eae35cf4b7c8c32a50b3202089e02b7f81d4f537adaf8851
         checksum/init-fs: a3cbfaa6bed90db39cd45a7938f41a3b1406128dda539a091bfbb3571472bfe5
         checksum/config: 40e1d013116c1b57a1b296e5a5de956c79bfd4c5de73d4ca9fcd783ad1bba5ec
-        checksum/secret: 7dbef8d9b088aceee1c55756efe66344220c03fbd0727bd254b3571e06b65769
+        checksum/secret: 640b684f0291cc17fb4e3822b55cb3e8a739e012ec8b81461eff0fda6057c60f
     spec:
       automountServiceAccountToken: false
       initContainers: