Prepare release 4.11 (#1358)

Author: BraisVQ

.github/workflows/continuous-integration-workflow.yml

@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        version: ['10.8.0'] # 9.9 = LTS
+        version: ['2025.5.0']
         edition: ['developer', 'enterprise']
     steps:
       -
@@ -66,6 +66,21 @@ jobs:
         run: |
           cd sonarqube && ./test.sh --sq-version=${{ matrix.version }} --sq-edition=${{ matrix.edition }}
 
+  sonarqube-postgresql:
+    name: SonarQube PostgreSQL tests
+    runs-on: ubuntu-22.04
+    steps:
+      -
+        name: Checkout repository
+        uses: actions/checkout@v4.2.2
+      -
+        name: Build docker image
+        run: |
+          ./.github/workflows/build-docker-image.sh \
+          --imagename ods-sonarqube-postgresql \
+          --dockerdir sonarqube/docker \
+          --dockerfile Dockerfile.database
+
   nexus:
     name: Nexus tests
     runs-on: ubuntu-22.04

CHANGELOG.md

@@ -5,10 +5,21 @@
 ### Added
 
 ### Changed
-- Adapted Sonarqube server configuration to make projects private and have custom gate ([#1347](https://github.com/opendevstack/ods-core/pull/1347))
 
 ### Fixed
 
+## [4.11.0] - 2025-12-03
+
+### Added
+- New core component, OpenDevStack API service ([#1356](https://github.com/opendevstack/ods-core/pull/1356)) & ([#1357](https://github.com/opendevstack/ods-core/pull/1357))
+
+### Changed
+- Change Cnes report to custom SonarQube report ([#1354](https://github.com/opendevstack/ods-core/pull/1354))
+- Adapted Sonarqube server configuration to make projects private and have custom gate ([#1347](https://github.com/opendevstack/ods-core/pull/1347))
+- Update Aqua cli to 2022.4.829 ([#1353](https://github.com/opendevstack/ods-core/pull/1353))
+- Update SonarQube and use local image for database ([#1343](https://github.com/opendevstack/ods-core/pull/1343))
+- Cleanup SonarQube backup process as data folder for server does not need backup ([#1355](https://github.com/opendevstack/ods-core/pull/1355))
+
 ## [4.10.0] - 2025-10-08
 ### Added
 - Added post creation process ([#1351](https://github.com/opendevstack/ods-core/pull/1351))

Makefile

@@ -4,10 +4,14 @@ SHELL = /bin/bash
 MAKEFLAGS += --warn-undefined-variables
 MAKEFLAGS += --no-builtin-rules
 
-# Load environment variables from .env file
+# Load environment variables from ods-core.env file
 include ../ods-configuration/ods-core.env
 export $(shell sed 's/=.*//' ../ods-configuration/ods-core.env)
 
+# Load environment variables from ods-core.ods-api-service.env file
+include ../ods-configuration/ods-core.ods-api-service.env
+export $(shell sed 's/=.*//' ../ods-configuration/ods-core.ods-api-service.env)
+
 INSECURE := false
 INSECURE_FLAG :=
 ifeq ($(INSECURE), $(filter $(INSECURE), true yes))
@@ -131,13 +135,13 @@ apply-sonarqube-chart:
 
 ## Start build of BuildConfig "sonarqube".
 start-sonarqube-build:
-	ocp-scripts/start-and-follow-build.sh --namespace $(ODS_NAMESPACE) --build-config sonarqube
+	ocp-scripts/start-and-follow-build.sh --namespace $(ODS_NAMESPACE) --build-config sonarqube && ocp-scripts/start-and-follow-build.sh --namespace $(ODS_NAMESPACE) --build-config sonarqube-postgresql
 	@echo "Visit $(SONARQUBE_URL)/setup to see if any update actions need to be taken."
 .PHONY: start-sonarqube-build
 
 ## Configure SonarQube service.
 configure-sonarqube:
-	cd sonarqube && ./configure.sh --sonarqube=$(SONARQUBE_URL) $(INSECURE_FLAG)
+	cd sonarqube && ./configure.sh --sonarqube=$(SONARQUBE_URL) --database-config=true $(INSECURE_FLAG)
 .PHONY: configure-sonarqube
 
 
@@ -178,23 +182,48 @@ start-opentelemetry-collector-build:
 	ocp-scripts/start-and-follow-build.sh --namespace $(ODS_NAMESPACE) --build-config opentelemetry-collector
 .PHONY: start-opentelemetry-collector-build
 
+# ODS API SERVICE
+## Install or update Ods API Service.
+install-ods-api-service: start-ods-api-service-build apply-ods-api-service-chart
+.PHONY: ods-api-service
+
+## Start build of BuildConfig "Ods API Service".
+start-ods-api-service-build:
+	cd ods-api-service/build-config && oc process -f template.yaml -p ODS_NAMESPACE=$(ODS_NAMESPACE) -p ODS_IMAGE_TAG=$(ODS_IMAGE_TAG) -p BITBUCKET_URL=$(BITBUCKET_URL) -p ODS_BITBUCKET_PROJECT=$(ODS_BITBUCKET_PROJECT) -p ODS_GIT_REF=$(ODS_GIT_REF) -p ODS_API_SERVICE_VERSION=$(ODS_API_SERVICE_VERSION) | oc apply --namespace $(ODS_NAMESPACE) -f -
+	ocp-scripts/start-and-follow-build.sh --namespace $(ODS_NAMESPACE) --build-config ods-api-service
+.PHONY: start-ods-api-service-build
+
+## Apply OpenShift resources related to the Ods API Service.
+apply-ods-api-service-chart:
+	cd ods-api-service/chart && envsubst < values.yaml.template > values.yaml && helm upgrade --install --namespace $(ODS_NAMESPACE) \
+		-f values.yaml \
+		--set projectId=$(ODS_NAMESPACE) \
+		--set appSelector=app=ods-api-service \
+		--set registry=$(DOCKER_REGISTRY) \
+		--set componentId=ods-api-service \
+		--set global.projectId=$(ODS_NAMESPACE) \
+		--set global.appSelector=app=ods-api-service \
+		--set global.registry=$(DOCKER_REGISTRY) \
+		--set global.componentId=ods-api-service \
+		--set imageNamespace=$(ODS_NAMESPACE) \
+		--set imageTag=$(ODS_IMAGE_TAG) \
+		--set global.imageNamespace=$(ODS_NAMESPACE) \
+		--set global.imageTag=$(ODS_IMAGE_TAG) \
+		--set ODS_OPENSHIFT_APP_DOMAIN=$(OPENSHIFT_APPS_BASEDOMAIN) \
+		ods-api-service . && rm values.yaml
+.PHONY: apply-ods-api-service-chart
+
 
 # BACKUP
 ## Create a backup of the current state.
-backup: backup-sonarqube backup-ocp-config
+backup: backup-ocp-config
 .PHONY: backup
 
 ## Create a backup of OpenShift resources in "ods" namespace.
 backup-ocp-config:
 	tailor export --namespace $(ODS_NAMESPACE) > backup_ods.yml
 .PHONY: backup-ocp-config
 
-## Create a backup of the SonarQube database in backup storage and in the current directory.
-backup-sonarqube:
-	cd sonarqube && ./backup.sh --namespace $(ODS_NAMESPACE) --local-copy=true --backup-dir `pwd`
-.PHONY: backup-sonarqube
-
-
 # PVC MIGRATION
 ## Migrate data from one PVC to another. Options: SOURCE_PVC, TARGET_PVC, THREADS (default: 5), CPU_REQUEST (default: 1), MEMORY (default: 2)
 migrate-pvc-data:

configuration-sample/ods-core.env.sample

@@ -89,7 +89,7 @@ NEXUS_STORAGE_PROVISIONER="ebs.csi.aws.com"
 # Storage class for Nexus data, for AWS this should be "gp3-csi"
 NEXUS_STORAGE_CLASS_DATA="gp3-csi"
 
-# Storage class for Nexus backup, for AWS this should be "gp2-encrypted"
+# Storage class for Nexus backup, for AWS this should be "csi-aws-vsc"
 NEXUS_STORAGE_CLASS_BACKUP="csi-aws-vsc"
 
 # Nexus snapshot configuration, default to run daily at 2 AM
@@ -124,6 +124,8 @@ SONAR_ADMIN_PASSWORD_B64=changeme
 # Authentication token used by sonar-scanner-cli from Jenkins pipelines.
 # Do not change the value manually - the token is created and set automatically during "make configure-sonarqube".
 SONAR_AUTH_TOKEN_B64=changeme
+# Web authetification code, needed for liveness Probe
+SONAR_WEB_SYSTEMPASSCODE_B64=changeme
 
 # Toggle authentication via SAML
 SONAR_AUTH_SAML='true'
@@ -138,14 +140,17 @@ SONAR_SAML_CERTIFICATE_B64=changeme
 # Image to use for the PostgreSQL database. This needs to be compatible with
 # your SonarQube version, see https://docs.sonarqube.org/latest/requirements/requirements/.
 # Take care when upgrading either database or SQ version.
-# E.g. registry.redhat.io/rhel9/postgresql-15
-SONAR_DATABASE_IMAGE=docker-registry.default.svc:5000/openshift/postgresql:15
+# E.g. registry.redhat.io/rhel10/postgresql-16
+SONAR_DATABASE_IMAGE=registry.redhat.io/rhel10/postgresql-16
 # Connection string for JDBC. Typically this does not need to be changed.
 SONAR_DATABASE_JDBC_URL=jdbc:postgresql://sonarqube-postgresql:5432/sonarqube
 # Database name for SonarQube. Typically this does not need to be changed.
 SONAR_DATABASE_NAME=sonarqube
 # Password of SonarQube database - should be set to a secure password.
 SONAR_DATABASE_PASSWORD_B64=changeme
+SONAR_DATABASE_SUPER_NAME=super_sonarqube
+# Super Password of SonarQube database - should be set to a secure password.
+SONAR_DATABASE_SUPER_PASSWORD_B64=changeme
 # User of SonarQube database. Typically this does not need to be changed.
 SONAR_DATABASE_USER=sonarqube
 
@@ -157,29 +162,62 @@ SONAR_EDITION=developer
 # SonarQube version.
 # See Dockerhub https://hub.docker.com/_/sonarqube/tags
 # Officially supported is:
-# - 10.8.0
-SONAR_VERSION=10.8.0
+# - 2025.5.0
+SONAR_VERSION=2025.5.0
 
 # SonarQube memory and CPU resources
-SONARQUBE_CPU_REQUEST=200m
-SONARQUBE_MEMORY_REQUEST=2Gi
-SONARQUBE_CPU_LIMIT=1
-SONARQUBE_MEMORY_LIMIT=4Gi
+SONARQUBE_CPU_REQUEST=300m
+SONARQUBE_MEMORY_REQUEST=5Gi
+SONARQUBE_CPU_LIMIT=2
+SONARQUBE_MEMORY_LIMIT=5Gi
 
 # SonarQube data and backup capacity
 SONARQUBE_DATA_CAPACITY=2Gi
 SONARQUBE_EXTENSIONS_CAPACITY=1Gi
 
 # SonarQube database memory and CPU resources
-SONARQUBE_DB_CPU_REQUEST=100m
-SONARQUBE_DB_MEMORY_REQUEST=256Mi
-SONARQUBE_DB_CPU_LIMIT=1
+SONARQUBE_DB_CPU_REQUEST=200m
+SONARQUBE_DB_MEMORY_REQUEST=512Mi
+SONARQUBE_DB_CPU_LIMIT=2
 SONARQUBE_DB_MEMORY_LIMIT=512Mi
 
 # SonarQube database and backup capacity
 SONARQUBE_DB_CAPACITY=2Gi
 SONARQUBE_DB_BACKUP_CAPACITY=1Gi
 
+# SonarQube data storage name
+SONARQUBE_DATA_STORAGE_NAME="sonarqube-data-storage"
+
+# Storage class provisioner for SonarQube data, for AWS this should be "ebs.csi.aws.com"
+SONARQUBE_STORAGE_PROVISIONER=""
+
+# Storage class for SonarQube data, for AWS this should be "gp3-csi"
+SONARQUBE_STORAGE_CLASS_DATA=""
+
+# Storage class provisioner for fast SonarQube storage, for AWS this should be "ebs.csi.aws.com"
+SONARQUBE_FAST_STORAGE_PROVISIONER="ebs.csi.aws.com"
+
+# Storage class for fast SonarQube data, for AWS this should be "gp3-csi"
+SONARQUBE_FAST_STORAGE_CLASS_DATA="gp3-csi"
+
+# Storage class for fast SonarQube backup, for AWS this should be "csi-aws-vsc"
+SONARQUBE_FAST_STORAGE_CLASS_BACKUP="csi-aws-vsc"
+
+# SonarQube backup configuration, default to run daily at 2 AM
+SONARQUBE_BACKUP_SCHEDULE="0 2 * * *"
+
+# SonarQube DB backup TTL in days (default: 30 days)
+SONARQUBE_DB_BACKUP_TTL=30
+
+# SonarQube scan configuration
+SONAR_SCAN_ENABLED="true"
+SONAR_SCAN_EXCLUSIONS=".json,.xml,**/__pycache__/**,**/*.pyc,/venv/,/.venv/,/site-packages/,/node_modules/,/dist/,/build/,/out/,/coverage/,/.next/,/.parcel-cache/,/target/,/.gradle/,/.mvn/,/vendor/,/bin/,/obj/,/build/libs/,/.terraform/,/pkg/,/android/,/ios/,/www/,/target/**,/Cargo.lock,/target/,/**/*.class,/**/*.jar,/**/*.war"
+SONAR_SCAN_NEXUS_REPOSITORY=leva-documentation
+SONAR_SCAN_ALERT_EMAILS=
+SONAR_SCAN_PROJECTS_PRIVATE="false"
+SONAR_SCAN_ACCOUNT=cd-user-with-password
+
+
 #########
 # Jira #
 #########
@@ -273,8 +311,8 @@ JENKINS_AGENT_BASE_SNYK_DISTRIBUTION_URL=https://github.com/snyk/snyk/releases/d
 # Releases are published at https://download.aquasec.com/scanner
 # Check Aqua versions backward compatibility at https://docs.aquasec.com/docs/version-compatibility-of-components#section-backward-compatibility-across-two-major-versions
 # To Download the aquaSec scanner cli and check their documentaion requires a valid account on aquasec.com
-# Latest tested version is 2022.4.760
-# Example: https://<USER>:<PASSWORD>@download.aquasec.com/scanner/2022.4.760/scannercli
+# Latest tested version is 2022.4.829
+# Example: https://<USER>:<PASSWORD>@download.aquasec.com/scanner/2022.4.829/scannercli
 JENKINS_AGENT_BASE_AQUASEC_SCANNERCLI_URL=
 
 # Repository of shared library

configuration-sample/ods-core.ods-api-service.env.sample

@@ -0,0 +1,81 @@
+#####################################################
+# Global configuration for OpenDevStack Api Service #
+#####################################################
+
+# OpenDevStack Api Service Version
+# See https://github.com/opendevstack/ods-api-service/releases
+ODS_API_SERVICE_VERSION=0.0.1
+
+# JVM configuration
+JAVA_OPTS=-Xmx1g -Djavax.net.ssl.trustStore=/home/default/custom-truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
+
+# Logging Configuration
+DEFAULT_LOG_LEVEL=INFO
+
+# OAuth2 Configuration
+OAUTH2_ISSUER=https://sts.example.com/tenant-id/
+OAUTH2_AUDIENCE=api://example-audience-id
+OAUTH2_JWK_SET_URI=https://sts.example.com/tenant-id/discovery/keys
+
+# Certificate URLs
+CERT_URLS=https://example.com/pki/root-ca.crt,https://example.com/pki/issuing-ca-01.crt
+
+# OpenAPI Configuration
+OPENAPI_SERVER_URL=https://ods-api-service.example.com
+CONTACT_EMAIL=support@example.com
+
+# AAP Configuration
+AAP_BASE_URL=https://aap.example.com/api/v2/
+AAP_USERNAME=aap-user
+AAP_PASSWORD=aap-password-change-me
+
+# UIPath Configuration
+UIPATH_HOST=https://uipath.example.com
+UIPATH_CLIENT_ID=example-client-id
+UIPATH_CLIENT_SECRET=example-client-secret
+UIPATH_TENANCY_NAME=default
+UIPATH_ORGANIZATION_UNIT_ID=1
+UIPATH_LOGIN_ENDPOINT=/api/Account/Authenticate
+UIPATH_QUEUE_ITEMS_ENDPOINT=/odata/QueueItems
+
+# Projects Info Service
+PROJECTS_INFO_SERVICE_BASE_URL=https://projects-info-service.example.com
+AZURE_ACCESS_TOKEN=example-azure-token
+AZURE_DATAHUB_GROUP_ID=example-datahub-group
+TESTING_HUB_API_URL=https://testinghub-api.example.com/v1/projects
+TESTING_HUB_API_TOKEN=example-testing-hub-token
+TESTING_HUB_DEFAULT_PROJECTS=PROJECT1:1, PROJECT2:2
+
+# OpenShift Cluster Tokens
+OPENSHIFT_USTEST_API_URL=https://api.us-test.example.com:6443
+OPENSHIFT_USTEST_TOKEN=example-ustest-token-change-me
+
+OPENSHIFT_EUDEV_API_URL=https://api.eu-dev.example.com:6443
+OPENSHIFT_EUDEV_TOKEN=example-eudev-token-change-me
+
+OPENSHIFT_USDEV_API_URL=https://api.us-dev.example.com:6443
+OPENSHIFT_USDEV_TOKEN=example-usdev-token-change-me
+
+OPENSHIFT_CNDEV_API_URL=https://api.cn-dev.example.com:6443
+OPENSHIFT_CNDEV_TOKEN=example-cndev-token-change-me
+
+OPENSHIFT_INHDEV_API_URL=https://api.inh-dev.example.com:6443
+OPENSHIFT_INHDEV_TOKEN=example-inhdev-token-change-me
+
+# Bitbucket Platforms Configuration
+BITBUCKET_PLATFORMS_BASE_PATH=https://bitbucket.example.com/projects/PLATFORMS/repos/sections-links/raw/
+BITBUCKET_PLATFORMS_USTEST=us-test-sections.yml?at=main
+BITBUCKET_PLATFORMS_EUDEV=eu-sections.yml?at=main
+BITBUCKET_PLATFORMS_USDEV=us-sections.yml?at=main
+BITBUCKET_PLATFORMS_CNDEV=cn-sections.yml?at=main
+BITBUCKET_PLATFORMS_INHDEV=inh-sections.yml?at=main
+BITBUCKET_PLATFORMS_BEARER_TOKEN=example-bitbucket-bearer-token
+
+# Project Users JWT Secret
+PROJECT_USERS_JWT_SECRET=example-jwt-secret-key-256bit-change-in-production
+PROJECT_USERS_WORKFLOW_NAME=example-api-service-add-user-to-project-workflow
+PROJECT_USERS_JWT_EXPIRATION_HOURS=24
+
+# OpenTelemetry Endpoint
+OTEL_EXPORTER_OTLP_ENDPOINT=http://opentelemetry-collector.example.com
+

jenkins/agent-base/Dockerfile.ubi8

@@ -2,8 +2,8 @@ FROM quay.io/openshift/origin-jenkins-agent-base
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-ENV SONAR_SCANNER_VERSION=6.2.1.4610 \
-    CNES_REPORT_VERSION=5.0.0 \
+ENV SONAR_SCANNER_VERSION=7.3.0.5189 \
+    SONAR_REPORT_VERSION=1.2 \
     COSIGN_VERSION=2.4.3 \
     TAILOR_VERSION=1.3.4 \
     SOPS_VERSION=3.9.0 \
@@ -57,12 +57,12 @@ RUN cd /tmp \
     && /usr/local/sonar-scanner-cli/bin/sonar-scanner --version
 ENV PATH=/usr/local/sonar-scanner-cli/bin:$PATH
 
-# Add sq cnes report jar.
+# Add sq report jar.
 RUN cd /tmp \
-    && curl -sSL https://github.com/cnescatlab/sonar-cnes-report/releases/download/${CNES_REPORT_VERSION}/sonar-cnes-report-${CNES_REPORT_VERSION}.jar -o cnesreport.jar \
-    && mkdir /usr/local/cnes \
-    && mv cnesreport.jar /usr/local/cnes/cnesreport.jar \
-    && chmod 777 /usr/local/cnes/cnesreport.jar
+    && curl -sSL https://github.com/opendevstack/sonar-report/releases/download/v${SONAR_REPORT_VERSION}/sonar-report-v${SONAR_REPORT_VERSION}.jar -o sonar-report.jar \
+    && mkdir /usr/local/sonar \
+    && mv sonar-report.jar /usr/local/sonar/sonar-report.jar \
+    && chmod 777 /usr/local/sonar/sonar-report.jar
 
 # Install sigstore/cosign
 RUN cd /tmp \