Skip to content

Latest commit

 

History

History
 
 

sonarqube

SonarQube

SonarQube offers Code Quality and Code Security analysis for up to 27 languages. Find Bugs, Vulnerabilities, Security Hotspots and Code Smells throughout your workflow.

Introduction

This chart bootstraps an instance of the latest SonarQube version with a PostgreSQL database. A helm chart is also available for the LTS version.

Please note that this chart only supports SonarQube Community, Developer, and Enterprise Editions.

Compatibility

SonarQube Version Kubernetes Version Helm Chart Version
9.0 1.19, 1.20, 1.21 1.1

Installing the chart

To install the chart:

git clone https://github.com/SonarSource/helm-chart-sonarqube.git
cd helm-chart-sonarqube/charts/sonarqube
helm dependency update
kubectl create namespace sonarqube
helm upgrade --install -f values.yaml -n sonarqube sonarqube ./

The above command deploys Sonarqube on the Kubernetes cluster in the default configuration in the sonarqube namespace. The configuration section lists the parameters that can be configured during installation.

The default login is admin/admin.

How to use it

Take some time to read the Deploy on SonarQube on Kubernetes page. SonarQube deployment on Kubernetes has been tested with the recommendations and constraints documented there, and deployment has some limitations.

Uninstalling the chart

To uninstall/delete the deployment:

$ helm list
NAME        REVISION    UPDATED                     STATUS      CHART            NAMESPACE
kindly-newt 1           Mon Oct  2 15:05:44 2017    DEPLOYED    sonarqube-0.1.0  sonarqube
$ helm delete kindly-newt

Upgrade

  1. Read through the SonarQube Upgrade Guide to familiarize yourself with the general upgrade process (most importantly, back up your database)
  2. Change the SonarQube version on values.yaml
  3. Redeploy SonarQube with the same helm chart (see Install instructions)
  4. Browse to http://yourSonarQubeServerURL/setup and follow the setup instructions
  5. Reanalyze your projects to get fresh data

Ingress

Path

Some cloud may need the path to be /* instead of /. Try this first if you are having issues getting traffic through the ingress.

Default Backend

if you use GCP as a cloud provider you need to set a default backend to avoid useless default backend created by the gce controller. To add this default backend you must set "ingress.class" annotation with "gce" or "gce-internal" value.

Example:

---
ingress:
  enabled: true
  hosts:
    - name: sonarqube.example.com
      path: "/*"
  annotations:
    kubernetes.io/ingress.class: "gce-internal"
    kubernetes.io/ingress.allow-http: "false"

Monitoring

This Helm chart offers the possibilitie to monitor SonarQube with Prometheus. Per default the jmx metrics for the Web Bean and the CE Bean are exposed on port 8000 and 8001. These Values can be configures with prometheusExporter.webBeanPort and prometheusExporter.ceBeanPort.

PodMonitor

if you are using the Prometheus Operator, you can configure a PodMonitor like this to let the scrape configuration automatically be generated by the Operator:

apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
  name: sonarqube
  namespace: monitoring
spec:
  namespaceSelector:
    matchNames:
    - sonarqube
  podMetricsEndpoints:
  - interval: 30s
    path: /
    scheme: http
    targetPort: monitoring-ce
  - interval: 30s
    path: /
    scheme: http
    targetPort: monitoring-web
  selector:
    matchLabels:
      app: sonarqube

Configuration

The following table lists the configurable parameters of the Sonarqube chart and their default values.

Parameter Description Default
deploymentType Deployment Type StatefulSet
replicaCount Number of replicas deployed 1
deploymentStrategy Deployment strategy {}
priorityClassName Schedule pods on priority (commented out) "high-priority"
schedulerName Kubernetes scheduler name None
OpenShift.enabled Define if this deployment is for OpenShift false
OpenShift.createSCC If this deployment is for OpenShift, define if SCC should be created for sonarqube pod true
image.repository image repository sonarqube
image.tag sonarqube image tag. 9.0.1-community
image.pullPolicy Image pull policy IfNotPresent
image.pullSecret imagePullSecret to use for private repository (commented out) my-repo-secret
securityContext.fsGroup Group applied to mounted directories/files 1000
containerSecurityContext.runAsUser User to run containers in sonarqube pod as, unless overwritten (such as for init-sysctl container) 1000
elasticsearch.configureNode [DEPRECATED] Use initSysctl.enabled instead. true
elasticsearch.bootstrapChecks Enables/disables Elasticsearch bootstrap checks true
nginx.enabled Also install Nginx Ingress Helm false
service.type Kubernetes service type ClusterIP
service.externalPort Kubernetes service port 9000
service.internalPort Kubernetes container port 9000
service.labels Kubernetes service labels None
service.annotations Kubernetes service annotations None
service.loadBalancerSourceRanges Kubernetes service LB Allowed inbound IP addresses None
service.loadBalancerIP Kubernetes service LB Optional fixed external IP None
ingress.enabled Flag for enabling ingress false
ingress.labels Ingress additional labels {}
ingress.hosts[0].name Hostname to your SonarQube installation sonarqube.your-org.com
ingress.hosts[0].path Path within the URL structure /
ingress.hosts[0].serviceName Optional field to override the default serviceName of a path None
ingress.hosts[0].servicePort Optional field to override the default servicePort of a path None
ingress.tls Ingress secrets for TLS certificates []
ingress.ingressClassName Optional field to configure ingress class name None
route.enabled Flag for enabling route false
route.tls.termination TLS termination type. Currently supported values are edge and passthrough edge
affinity Node / Pod affinities {}
tolerations List of node taints to tolerate []
nodeSelector Node labels for pod assignment {}
hostAliases Aliases for IPs in /etc/hosts []
readinessProbe.initialDelaySecond ReadinessProbe initial delay for SonarQube checking 60
readinessProbe.periodSeconds ReadinessProbe period between checking SonarQube 30
readinessProbe.failureThreshold ReadinessProbe thresold for marking as failed 6
readinessProbe.sonarWebContext SonarQube web context for readinessProbe /
livenessProbe.initialDelaySecond LivenessProbe initial delay for SonarQube checking 60
livenessProbe.periodSeconds LivenessProbe period between checking SonarQube 30
livenessProbe.sonarWebContext SonarQube web context for livenessProbe /
livenessProbe.failureThreshold LivenessProbe thresold for marking as dead 6
startupProbe.initialDelaySecond StartupProbe initial delay for SonarQube checking 30
startupProbe.periodSeconds StartupProbe period between checking SonarQube 10
startupProbe.sonarWebContext SonarQube web context for StartupProbe /
startupProbe.failureThreshold StartupProbe thresold for marking as failed 24
initContainers.image Change init container image busybox:1.32
initContainers.securityContext SecurityContext for init containers nil
initContainers.resources Resources for init containers {}
extraInitContainers Extra init containers to e.g. download required artifacts {}
extraContainers Array of extra containers to run alongside the sonarqube container []
caCerts.image Change init CA certificates container image adoptopenjdk/openjdk11:alpine
caCerts.secret Name of the secret containing additional CA certificates nil
initSysctl.enabled Modify k8s worker to conform to system requirements true
initSysctl.vmMaxMapCount Set init sysctl container vm.max_map_count 524288
initSysctl.fsFileMax Set init sysctl container fs.file-max 131072
initSysctl.nofile Set init sysctl container open file descriptors limit 131072
initSysctl.nproc Set init sysctl container open threads limit 8192
initSysctl.image Change init sysctl container image busybox:1.32
initSysctl.securityContext InitSysctl container security context {privileged: true}
initSysctl.resources InitSysctl container resource requests & limits {}
initFs.enabled Enable file permission change with init container true
initFs.image InitFS container image busybox:1.32
initFs.securityContext.privileged InitFS container needs to run privileged true
prometheusExporter.enabled Use the Prometheus JMX exporter true
prometheusExporter.version jmx_prometheus_javaagent version to download from Maven Central 0.16.0
prometheusExporter.noCheckCertificate Flag to not check server's certificate when downloading jmx_prometheus_javaagent false
prometheusExporter.webBeanPort Port where the jmx_prometheus_javaagent exposes the metrics for the webBean 8000
prometheusExporter.ceBeanPort Port where the jmx_prometheus_javaagent exposes the metrics for the ceBean 8001
prometheusExporter.downloadURL Alternative full download URL for the jmx_prometheus_javaagent.jar (overrides prometheusExporter.version) ""
prometheusExporter.config Prometheus JMX exporter config yaml for the web process, and the CE process if prometheusExporter.ceConfig is not set see values.yaml
prometheusExporter.ceConfig Prometheus JMX exporter config yaml for the CE process (by default, prometheusExporter.config is used) None
prometheusExporter.httpProxy HTTP proxy for downloading JMX agent ""
prometheusExporter.httpsProxy HTTPS proxy for downloading JMX agent ""
prometheusExporter.noProxy No proxy for downloading JMX agent ""
prometheusExporter.securityContext Security context for downloading the jmx agent see values.yaml
plugins.install List of plugins to install []
plugins.lib Plugins libray []
plugins.resources Plugin Pod resource requests & limits {}
plugins.httpProxy For use behind a corporate proxy when downloading plugins ""
plugins.httpsProxy For use behind a corporate proxy when downloading plugins ""
plugins.noProxy For use behind a corporate proxy when downloading plugins ""
plugins.image Image for plugins container ""
plugins.resources Resources for plugins container ""
plugins.netrcCreds Name of the secret containing .netrc file to use creds when downloading plugins ""
plugins.noCheckCertificate Flag to not check server's certificate when downloading plugins false
plugins.securityContext Security context for the container to download plugins see values.yaml
jvmOpts Values to add to SONARQUBE_WEB_JVM_OPTS ""
jvmCEOpts Values to add to SONAR_CE_JAVAOPTS ""
monitoringPasscode Value for sonar.web.systemPasscode. needed for liveness probes "define_it"
env Environment variables to attach to the pods nil
annotations Sonarqube Pod annotations {}
resources.requests.memory Sonarqube memory request 2Gi
resources.requests.cpu Sonarqube cpu request 400m
resources.limits.memory Sonarqube memory limit 4096M
resources.limits.cpu Sonarqube cpu limit 800m
persistence.enabled Flag for enabling persistent storage false
persistence.annotations Kubernetes pvc annotations {}
persistence.existingClaim Do not create a new PVC but use this one None
persistence.storageClass Storage class to be used ""
persistence.accessMode Volumes access mode to be set ReadWriteOnce
persistence.size Size of the volume 5Gi
persistence.volumes Specify extra volumes. Refer to ".spec.volumes" specification []
persistence.mounts Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification []
emptyDir Configuration of resources for emptyDir {}
sonarProperties Custom sonar.properties file None
sonarSecretProperties Additional sonar.properties file to load from a secret None
sonarSecretKey Name of existing secret used for settings encryption None
jdbcDatabaseType Type of the JDBC Database driver postgreql
jdbcOverwrite.enable Enable JDBC overwrites for external Databases (disables postgresql.enabled) false
jdbcOverwrite.jdbcUrl The JDBC url to connect the external DB jdbc:postgresql://myPostgress/myDatabase?socketTimeout=1500
jdbcOverwrite.jdbcUsername The DB user that should be used for the JDBC connection sonarUser
jdbcOverwrite.jdbcPassword The DB password that should be used for the JDBC connection (Use this if you don't mind the DB password getting stored in plain text within the values file) sonarPass
jdbcOverwrite.jdbcSecretName Alternatively, use a pre-existing k8s secret containing the DB password None
jdbcOverwrite.jdbcSecretPasswordKey If the pre-existing k8s secret is used this allows the user to overwrite the 'key' of the password property in the secret None
postgresql.enabled Set to false to use external server true
postgresql.existingSecret (DEPRECATED) Secret containing the password of the external Postgresql server null
postgresql.existingSecretPasswordKey (DEPRECATED) Secret Key containing the password of the external Postgresql server postgresql-password
postgresql.postgresqlServer (DEPRECATED) Hostname of the external Postgresql server null
postgresql.postgresqlUsername Postgresql database user sonarUser
postgresql.postgresqlPassword Postgresql database password sonarPass
postgresql.postgresqlDatabase Postgresql database name sonarDB
postgresql.service.port Postgresql port 5432
postgresql.resources.requests.memory Postgresql memory request 256Mi
postgresql.resources.requests.cpu Postgresql cpu request 250m
postgresql.resources.limits.memory Postgresql memory limit 2Gi
postgresql.resources.limits.cpu Postgresql cpu limit 2
postgresql.persistence.enabled Postgresql persistence en/disabled true
postgresql.persistence.accessMode Postgresql persistence accessMode ReadWriteOnce
postgresql.persistence.size Postgresql persistence size 20Gi
postgresql.persistence.storageClass Postgresql persistence storageClass ""
postgresql.securityContext.enabled Postgresql securityContext en/disabled true
postgresql.securityContext.fsGroup Postgresql securityContext fsGroup 1001
postgresql.securityContext.runAsUser Postgresql securityContext runAsUser 1001
postgresql.volumePermissions.enabled Postgres vol permissions en/disabled false
postgresql.volumePermissions.securityContext.runAsUser Postgres vol permissions secContext runAsUser 0
postgresql.shmVolume.chmod.enabled Postgresql shared memory vol en/disabled false
postgresql.serivceAccount.enabled Postgresql service Account creation en/disabled false
postgresql.serivceAccount.name Postgresql service Account name (commented out) ""
podLabels Map of labels to add to the pods {}
sonarqubeFolder Directory name of Sonarqube /opt/sonarqube
tests.enabled Flag that allows tests to be excluded from generated yaml true
tests.image Change init test container image dduportal/bats:0.4.0
serviceAccount.create If set to true, create a serviceAccount false
serviceAccount.name Name of the serviceAccount to create/use sonarqube-sonarqube
serviceAccount.annotations Additional serviceAccount annotations {}
extraConfig.secrets A list of Secrets (which must contain key/value pairs) which may be loaded into the Scanner as environment variables []
extraConfig.configmaps A list of ConfigMaps (which must contain key/value pairs) which may be loaded into the Scanner as environment variables []
account.adminPassword Custom admin password "admin"
account.currentAdminPassword Current admin password "admin"
curlContainerImage Curl container image "curlimages/curl:latest"
adminJobAnnotations Custom annotations for admin hook Job {}
terminationGracePeriodSeconds Configuration of terminationGracePeriodSeconds 60

You can also configure values for the PostgreSQL database via the Postgresql Chart

For overriding variables see: Customizing the chart

Use custom cacerts

In environments with air-gapped setup, especially with internal tooling (repos) and self-signed certificates it is required to provide an adequate cacerts which overrides the default one:

  1. Create a yaml file cacerts.yaml with a secret that contains one or more keys to represent the certificates that you want including

    apiVersion: v1
    kind: Secret
    metadata:
      name: my-cacerts
    data:
      cert-1.crt: |
        xxxxxxxxxxxxxxxxxxxxxxx
  2. Upload your cacerts.yaml to a secret in the cluster you are installing Sonarqube to.

    kubectl apply -f cacerts.yaml
  3. Set the following values of the chart:

    caCerts:
      enabled: true
      secret: my-cacerts

Elasticsearch Settings

Since SonarQube comes bundled with an Elasticsearch instance, some bootstrap checks of the host settings are done at start.

This chart offers the option to use an initContainer in privilaged mode to automatically set certain kernel settings on the kube worker. While this can ensure proper functionality of Elasticsearch, modifying the underlying kernel settings on the Kubernetes node can impact other users. It may be best to work with your cluster administrator to either provide specific nodes with the proper kernel settings, or ensure they are set cluster wide.

To enable auto-configuration of the kube worker node, set elasticsearch.configureNode to true. This is the default behavior, so you do not need to explicitly set this.

This will run sysctl -w vm.max_map_count=262144 on the worker where the sonarqube pod(s) get scheduled. This needs to be set to 262144 but normally defaults to 65530. Other kernel settings are recommended by the docker image, but the defaults work fine in most cases.

To disable worker node configuration, set elasticsearch.configureNode to false. Note that if node configuration is not enabled, then you will likely need to also disable the Elasticsearch bootstrap checks. These can be explicitly disabled by setting elasticsearch.bootstrapChecks to false.

Extra Config

For environments where another tool, such as terraform or ansible, is used to provision infrastructure or passwords then setting databases addresses and credentials via helm becomes less than ideal. Ditto for environments where this config may be visible.

In such environments, configuration may be read, via environment variables, from Secrets and ConfigMaps.

  1. Create a ConfigMap (or Secret) containing key/value pairs, as expected by Sonarqube

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: external-sonarqube-opts
    data:
      SONARQUBE_JDBC_USERNAME: foo
      SONARQUBE_JDBC_URL: jdbc:postgresql://db.example.com:5432/sonar
  2. Set the following in your values.yaml (using the key extraConfig.secrets to reference Secrets)

    extraConfig:
      configmaps:
        - external-sonarqube-opts