SonarQube offers Code Quality and Code Security analysis for up to 27 languages. Find Bugs, Vulnerabilities, Security Hotspots and Code Smells throughout your workflow.
This chart bootstraps an instance of the latest SonarQube version with a PostgreSQL database. A helm chart is also available for the LTS version.
Please note that this chart only supports SonarQube Community, Developer, and Enterprise Editions.
SonarQube Version | Kubernetes Version | Helm Chart Version |
---|---|---|
9.0 | 1.19, 1.20, 1.21 | 1.1 |
To install the chart:
git clone https://github.com/SonarSource/helm-chart-sonarqube.git
cd helm-chart-sonarqube/charts/sonarqube
helm dependency update
kubectl create namespace sonarqube
helm upgrade --install -f values.yaml -n sonarqube sonarqube ./
The above command deploys Sonarqube on the Kubernetes cluster in the default configuration in the sonarqube namespace. The configuration section lists the parameters that can be configured during installation.
The default login is admin/admin.
Take some time to read the Deploy on SonarQube on Kubernetes page. SonarQube deployment on Kubernetes has been tested with the recommendations and constraints documented there, and deployment has some limitations.
To uninstall/delete the deployment:
$ helm list
NAME REVISION UPDATED STATUS CHART NAMESPACE
kindly-newt 1 Mon Oct 2 15:05:44 2017 DEPLOYED sonarqube-0.1.0 sonarqube
$ helm delete kindly-newt
- Read through the SonarQube Upgrade Guide to familiarize yourself with the general upgrade process (most importantly, back up your database)
- Change the SonarQube version on
values.yaml
- Redeploy SonarQube with the same helm chart (see Install instructions)
- Browse to http://yourSonarQubeServerURL/setup and follow the setup instructions
- Reanalyze your projects to get fresh data
Some cloud may need the path to be /*
instead of /.
Try this first if you are having issues getting traffic through the ingress.
if you use GCP as a cloud provider you need to set a default backend to avoid useless default backend created by the gce controller. To add this default backend you must set "ingress.class" annotation with "gce" or "gce-internal" value.
Example:
---
ingress:
enabled: true
hosts:
- name: sonarqube.example.com
path: "/*"
annotations:
kubernetes.io/ingress.class: "gce-internal"
kubernetes.io/ingress.allow-http: "false"
This Helm chart offers the possibilitie to monitor SonarQube with Prometheus. Per default the jmx metrics for the Web Bean and the CE Bean are exposed on port 8000 and 8001. These Values can be configures with prometheusExporter.webBeanPort
and prometheusExporter.ceBeanPort
.
if you are using the Prometheus Operator, you can configure a PodMonitor like this to let the scrape configuration automatically be generated by the Operator:
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: sonarqube
namespace: monitoring
spec:
namespaceSelector:
matchNames:
- sonarqube
podMetricsEndpoints:
- interval: 30s
path: /
scheme: http
targetPort: monitoring-ce
- interval: 30s
path: /
scheme: http
targetPort: monitoring-web
selector:
matchLabels:
app: sonarqube
The following table lists the configurable parameters of the Sonarqube chart and their default values.
Parameter | Description | Default |
---|---|---|
deploymentType |
Deployment Type | StatefulSet |
replicaCount |
Number of replicas deployed | 1 |
deploymentStrategy |
Deployment strategy | {} |
priorityClassName |
Schedule pods on priority (commented out) | "high-priority" |
schedulerName |
Kubernetes scheduler name | None |
OpenShift.enabled |
Define if this deployment is for OpenShift | false |
OpenShift.createSCC |
If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | true |
image.repository |
image repository | sonarqube |
image.tag |
sonarqube image tag. |
9.0.1-community |
image.pullPolicy |
Image pull policy | IfNotPresent |
image.pullSecret |
imagePullSecret to use for private repository (commented out) | my-repo-secret |
securityContext.fsGroup |
Group applied to mounted directories/files | 1000 |
containerSecurityContext.runAsUser |
User to run containers in sonarqube pod as, unless overwritten (such as for init-sysctl container) | 1000 |
elasticsearch.configureNode |
[DEPRECATED] Use initSysctl.enabled instead. | true |
elasticsearch.bootstrapChecks |
Enables/disables Elasticsearch bootstrap checks | true |
nginx.enabled |
Also install Nginx Ingress Helm | false |
service.type |
Kubernetes service type | ClusterIP |
service.externalPort |
Kubernetes service port | 9000 |
service.internalPort |
Kubernetes container port | 9000 |
service.labels |
Kubernetes service labels | None |
service.annotations |
Kubernetes service annotations | None |
service.loadBalancerSourceRanges |
Kubernetes service LB Allowed inbound IP addresses | None |
service.loadBalancerIP |
Kubernetes service LB Optional fixed external IP | None |
ingress.enabled |
Flag for enabling ingress | false |
ingress.labels |
Ingress additional labels | {} |
ingress.hosts[0].name |
Hostname to your SonarQube installation | sonarqube.your-org.com |
ingress.hosts[0].path |
Path within the URL structure | / |
ingress.hosts[0].serviceName |
Optional field to override the default serviceName of a path | None |
ingress.hosts[0].servicePort |
Optional field to override the default servicePort of a path | None |
ingress.tls |
Ingress secrets for TLS certificates | [] |
ingress.ingressClassName |
Optional field to configure ingress class name | None |
route.enabled |
Flag for enabling route | false |
route.tls.termination |
TLS termination type. Currently supported values are edge and passthrough | edge |
affinity |
Node / Pod affinities | {} |
tolerations |
List of node taints to tolerate | [] |
nodeSelector |
Node labels for pod assignment | {} |
hostAliases |
Aliases for IPs in /etc/hosts | [] |
readinessProbe.initialDelaySecond |
ReadinessProbe initial delay for SonarQube checking | 60 |
readinessProbe.periodSeconds |
ReadinessProbe period between checking SonarQube | 30 |
readinessProbe.failureThreshold |
ReadinessProbe thresold for marking as failed | 6 |
readinessProbe.sonarWebContext |
SonarQube web context for readinessProbe | / |
livenessProbe.initialDelaySecond |
LivenessProbe initial delay for SonarQube checking | 60 |
livenessProbe.periodSeconds |
LivenessProbe period between checking SonarQube | 30 |
livenessProbe.sonarWebContext |
SonarQube web context for livenessProbe | / |
livenessProbe.failureThreshold |
LivenessProbe thresold for marking as dead | 6 |
startupProbe.initialDelaySecond |
StartupProbe initial delay for SonarQube checking | 30 |
startupProbe.periodSeconds |
StartupProbe period between checking SonarQube | 10 |
startupProbe.sonarWebContext |
SonarQube web context for StartupProbe | / |
startupProbe.failureThreshold |
StartupProbe thresold for marking as failed | 24 |
initContainers.image |
Change init container image | busybox:1.32 |
initContainers.securityContext |
SecurityContext for init containers | nil |
initContainers.resources |
Resources for init containers | {} |
extraInitContainers |
Extra init containers to e.g. download required artifacts | {} |
extraContainers |
Array of extra containers to run alongside the sonarqube container |
[] |
caCerts.image |
Change init CA certificates container image | adoptopenjdk/openjdk11:alpine |
caCerts.secret |
Name of the secret containing additional CA certificates | nil |
initSysctl.enabled |
Modify k8s worker to conform to system requirements | true |
initSysctl.vmMaxMapCount |
Set init sysctl container vm.max_map_count | 524288 |
initSysctl.fsFileMax |
Set init sysctl container fs.file-max | 131072 |
initSysctl.nofile |
Set init sysctl container open file descriptors limit | 131072 |
initSysctl.nproc |
Set init sysctl container open threads limit | 8192 |
initSysctl.image |
Change init sysctl container image | busybox:1.32 |
initSysctl.securityContext |
InitSysctl container security context | {privileged: true} |
initSysctl.resources |
InitSysctl container resource requests & limits | {} |
initFs.enabled |
Enable file permission change with init container | true |
initFs.image |
InitFS container image | busybox:1.32 |
initFs.securityContext.privileged |
InitFS container needs to run privileged | true |
prometheusExporter.enabled |
Use the Prometheus JMX exporter | true |
prometheusExporter.version |
jmx_prometheus_javaagent version to download from Maven Central | 0.16.0 |
prometheusExporter.noCheckCertificate |
Flag to not check server's certificate when downloading jmx_prometheus_javaagent | false |
prometheusExporter.webBeanPort |
Port where the jmx_prometheus_javaagent exposes the metrics for the webBean | 8000 |
prometheusExporter.ceBeanPort |
Port where the jmx_prometheus_javaagent exposes the metrics for the ceBean | 8001 |
prometheusExporter.downloadURL |
Alternative full download URL for the jmx_prometheus_javaagent.jar (overrides prometheusExporter.version ) |
"" |
prometheusExporter.config |
Prometheus JMX exporter config yaml for the web process, and the CE process if prometheusExporter.ceConfig is not set |
see values.yaml |
prometheusExporter.ceConfig |
Prometheus JMX exporter config yaml for the CE process (by default, prometheusExporter.config is used) |
None |
prometheusExporter.httpProxy |
HTTP proxy for downloading JMX agent | "" |
prometheusExporter.httpsProxy |
HTTPS proxy for downloading JMX agent | "" |
prometheusExporter.noProxy |
No proxy for downloading JMX agent | "" |
prometheusExporter.securityContext |
Security context for downloading the jmx agent | see values.yaml |
plugins.install |
List of plugins to install | [] |
plugins.lib |
Plugins libray | [] |
plugins.resources |
Plugin Pod resource requests & limits | {} |
plugins.httpProxy |
For use behind a corporate proxy when downloading plugins | "" |
plugins.httpsProxy |
For use behind a corporate proxy when downloading plugins | "" |
plugins.noProxy |
For use behind a corporate proxy when downloading plugins | "" |
plugins.image |
Image for plugins container | "" |
plugins.resources |
Resources for plugins container | "" |
plugins.netrcCreds |
Name of the secret containing .netrc file to use creds when downloading plugins | "" |
plugins.noCheckCertificate |
Flag to not check server's certificate when downloading plugins | false |
plugins.securityContext |
Security context for the container to download plugins | see values.yaml |
jvmOpts |
Values to add to SONARQUBE_WEB_JVM_OPTS | "" |
jvmCEOpts |
Values to add to SONAR_CE_JAVAOPTS | "" |
monitoringPasscode |
Value for sonar.web.systemPasscode. needed for liveness probes | "define_it" |
env |
Environment variables to attach to the pods | nil |
annotations |
Sonarqube Pod annotations | {} |
resources.requests.memory |
Sonarqube memory request | 2Gi |
resources.requests.cpu |
Sonarqube cpu request | 400m |
resources.limits.memory |
Sonarqube memory limit | 4096M |
resources.limits.cpu |
Sonarqube cpu limit | 800m |
persistence.enabled |
Flag for enabling persistent storage | false |
persistence.annotations |
Kubernetes pvc annotations | {} |
persistence.existingClaim |
Do not create a new PVC but use this one | None |
persistence.storageClass |
Storage class to be used | "" |
persistence.accessMode |
Volumes access mode to be set | ReadWriteOnce |
persistence.size |
Size of the volume | 5Gi |
persistence.volumes |
Specify extra volumes. Refer to ".spec.volumes" specification | [] |
persistence.mounts |
Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification | [] |
emptyDir |
Configuration of resources for emptyDir |
{} |
sonarProperties |
Custom sonar.properties file |
None |
sonarSecretProperties |
Additional sonar.properties file to load from a secret |
None |
sonarSecretKey |
Name of existing secret used for settings encryption | None |
jdbcDatabaseType |
Type of the JDBC Database driver | postgreql |
jdbcOverwrite.enable |
Enable JDBC overwrites for external Databases (disables postgresql.enabled ) |
false |
jdbcOverwrite.jdbcUrl |
The JDBC url to connect the external DB | jdbc:postgresql://myPostgress/myDatabase?socketTimeout=1500 |
jdbcOverwrite.jdbcUsername |
The DB user that should be used for the JDBC connection | sonarUser |
jdbcOverwrite.jdbcPassword |
The DB password that should be used for the JDBC connection (Use this if you don't mind the DB password getting stored in plain text within the values file) | sonarPass |
jdbcOverwrite.jdbcSecretName |
Alternatively, use a pre-existing k8s secret containing the DB password | None |
jdbcOverwrite.jdbcSecretPasswordKey |
If the pre-existing k8s secret is used this allows the user to overwrite the 'key' of the password property in the secret | None |
postgresql.enabled |
Set to false to use external server |
true |
postgresql.existingSecret |
(DEPRECATED) Secret containing the password of the external Postgresql server | null |
postgresql.existingSecretPasswordKey |
(DEPRECATED) Secret Key containing the password of the external Postgresql server | postgresql-password |
postgresql.postgresqlServer |
(DEPRECATED) Hostname of the external Postgresql server | null |
postgresql.postgresqlUsername |
Postgresql database user | sonarUser |
postgresql.postgresqlPassword |
Postgresql database password | sonarPass |
postgresql.postgresqlDatabase |
Postgresql database name | sonarDB |
postgresql.service.port |
Postgresql port | 5432 |
postgresql.resources.requests.memory |
Postgresql memory request | 256Mi |
postgresql.resources.requests.cpu |
Postgresql cpu request | 250m |
postgresql.resources.limits.memory |
Postgresql memory limit | 2Gi |
postgresql.resources.limits.cpu |
Postgresql cpu limit | 2 |
postgresql.persistence.enabled |
Postgresql persistence en/disabled | true |
postgresql.persistence.accessMode |
Postgresql persistence accessMode | ReadWriteOnce |
postgresql.persistence.size |
Postgresql persistence size | 20Gi |
postgresql.persistence.storageClass |
Postgresql persistence storageClass | "" |
postgresql.securityContext.enabled |
Postgresql securityContext en/disabled | true |
postgresql.securityContext.fsGroup |
Postgresql securityContext fsGroup | 1001 |
postgresql.securityContext.runAsUser |
Postgresql securityContext runAsUser | 1001 |
postgresql.volumePermissions.enabled |
Postgres vol permissions en/disabled | false |
postgresql.volumePermissions.securityContext.runAsUser |
Postgres vol permissions secContext runAsUser | 0 |
postgresql.shmVolume.chmod.enabled |
Postgresql shared memory vol en/disabled | false |
postgresql.serivceAccount.enabled |
Postgresql service Account creation en/disabled | false |
postgresql.serivceAccount.name |
Postgresql service Account name (commented out) | "" |
podLabels |
Map of labels to add to the pods | {} |
sonarqubeFolder |
Directory name of Sonarqube | /opt/sonarqube |
tests.enabled |
Flag that allows tests to be excluded from generated yaml | true |
tests.image |
Change init test container image | dduportal/bats:0.4.0 |
serviceAccount.create |
If set to true, create a serviceAccount | false |
serviceAccount.name |
Name of the serviceAccount to create/use | sonarqube-sonarqube |
serviceAccount.annotations |
Additional serviceAccount annotations | {} |
extraConfig.secrets |
A list of Secret s (which must contain key/value pairs) which may be loaded into the Scanner as environment variables |
[] |
extraConfig.configmaps |
A list of ConfigMap s (which must contain key/value pairs) which may be loaded into the Scanner as environment variables |
[] |
account.adminPassword |
Custom admin password | "admin" |
account.currentAdminPassword |
Current admin password | "admin" |
curlContainerImage |
Curl container image | "curlimages/curl:latest" |
adminJobAnnotations |
Custom annotations for admin hook Job | {} |
terminationGracePeriodSeconds |
Configuration of terminationGracePeriodSeconds |
60 |
You can also configure values for the PostgreSQL database via the Postgresql Chart
For overriding variables see: Customizing the chart
In environments with air-gapped setup, especially with internal tooling (repos) and self-signed certificates it is required to provide an adequate cacerts
which overrides the default one:
-
Create a yaml file
cacerts.yaml
with a secret that contains one or more keys to represent the certificates that you want includingapiVersion: v1 kind: Secret metadata: name: my-cacerts data: cert-1.crt: | xxxxxxxxxxxxxxxxxxxxxxx
-
Upload your
cacerts.yaml
to a secret in the cluster you are installing Sonarqube to.kubectl apply -f cacerts.yaml
-
Set the following values of the chart:
caCerts: enabled: true secret: my-cacerts
Since SonarQube comes bundled with an Elasticsearch instance, some bootstrap checks of the host settings are done at start.
This chart offers the option to use an initContainer in privilaged mode to automatically set certain kernel settings on the kube worker. While this can ensure proper functionality of Elasticsearch, modifying the underlying kernel settings on the Kubernetes node can impact other users. It may be best to work with your cluster administrator to either provide specific nodes with the proper kernel settings, or ensure they are set cluster wide.
To enable auto-configuration of the kube worker node, set elasticsearch.configureNode
to true
. This is the default behavior, so you do not need to explicitly set this.
This will run sysctl -w vm.max_map_count=262144
on the worker where the sonarqube pod(s) get scheduled. This needs to be set to 262144
but normally defaults to 65530
. Other kernel settings are recommended by the docker image, but the defaults work fine in most cases.
To disable worker node configuration, set elasticsearch.configureNode
to false
. Note that if node configuration is not enabled, then you will likely need to also disable the Elasticsearch bootstrap checks. These can be explicitly disabled by setting elasticsearch.bootstrapChecks
to false
.
For environments where another tool, such as terraform or ansible, is used to provision infrastructure or passwords then setting databases addresses and credentials via helm becomes less than ideal. Ditto for environments where this config may be visible.
In such environments, configuration may be read, via environment variables, from Secrets and ConfigMaps.
-
Create a
ConfigMap
(orSecret
) containing key/value pairs, as expected by SonarqubeapiVersion: v1 kind: ConfigMap metadata: name: external-sonarqube-opts data: SONARQUBE_JDBC_USERNAME: foo SONARQUBE_JDBC_URL: jdbc:postgresql://db.example.com:5432/sonar
-
Set the following in your
values.yaml
(using the keyextraConfig.secrets
to referenceSecret
s)extraConfig: configmaps: - external-sonarqube-opts