Deploy SonarQube on Kubernetes
This part of the Documentation is only valid for Community, Developer, and Enterprise Editions. For information on deploying the Data Center Edition of SonarQube on Kubernetes, see this documentation.
Overview
You can find the SonarQube Helm chart on GitHub.
Your feedback is welcome at our community forum.
Kubernetes environment recommendations
When you want to operate SonarQube on Kubernetes, consider the following recommendations.
Prerequisites
Supported versions
The SonarQube helm chart should only be used with the latest version of SonarQube and a supported version of Kubernetes. There is a dedicated helm chart for the LTS version of SonarQube that follows the same patch policy as the application, while also being compatible with the supported versions of Kubernetes.
Pod Security Standards
The following Pod Security levels cannot be used in combination with SonarQube's chart:
- Baseline. The "init-sysctl" container requires
securityContext.privileged=true
. - Restricted. In addition to the previous requirement,
- The "sonarqube-postgresql", "wait-for-db", "init-sysctl", and "sonarqube" containers require
securityContext.allowPrivilegeEscalation=true
, unrestricted capabilities, running as root, and a seccompProfile different from "RuntimeDefault" or "Localhost".
- The "sonarqube-postgresql", "wait-for-db", "init-sysctl", and "sonarqube" containers require
Installation
Currently, only Helm 3 is supported.
To install the Helm Chart from our Helm Repository, you can use the following commands:
Persistency
SonarQube comes with a bundled Elasticsearch and, as Elasticsearch is stateful, so is SonarQube. There is an option to persist the Elasticsearch indexes in a Persistent Volume, but with regular killing operations by the Kubernetes Cluster, these indexes can be corrupted. By default, persistency is disabled in the Helm chart.
Enabling persistency decreases the startup time of the SonarQube Pod significantly, but you are risking corrupting your Elasticsearch index. You can enable persistency by adding the following to the values.yaml
:
Leaving persistency disabled results in a longer startup time until SonarQube is fully available, but you won't lose any data as SonarQube will persist all data in the database.
Custom Certificate
When you're working with your own CA or in an environment that uses self-signed certificates for your code repository platform, you can create a secret containing this certificate and add this certificate to the Java truststore inside the SonarQube deployment directly during the deployment.
To enable this behavior, add the following to your value.yaml
file:
Get Certificate via openssl
If you already have a running installation of your code repository platform, you can extract the certificate with the following snippet using openssl
This certificate needs to be Base64 encoded in order to be added as secret data.
Note that you can also use string-data
here if you don't want to encode your certificate.
Create secret
The Base64 encoded certificate can be added to the secret's data:
Then, create the secret in your Kubernetes cluster with the following command:
Ingress Creation
To make the SonarQube service accessible from outside of your cluster, you most likely need an ingress. Creating a new ingress is also covered by the Helm chart. See the following section for help with creating one.
Ingress Class
The SonarSource Helm chart has an optional dependency on the NGINX-ingress helm chart. If you already have NGINX-ingress present in your cluster, you can use it.
If you want to install NGINX as well, add the following to your values.yaml
.
We recommend using the ingress-class NGINX with a body size of at least 64MB. This can be achieved with the following changes to your values.yaml:
Monitoring
You can monitor your SonarQube instance using SonarQube's native integration with Prometheus. Through this integration, you can ensure your instance is running properly and know if you need to take action to prevent future issues.
Prometheus monitors your SonarQube instance by collecting metrics from the /api/monitoring/metrics
endpoint. Results are returned in OpenMetrics text format. See Prometheus' documentation on exposition formats for more information on the OpenMetrics text format.
Monitoring through this endpoint requires authentication. You can access the endpoint following ways:
Authorization:Bearer xxxx
header: You can use a bearer token during database upgrade and when SonarQube is fully operational. Define the bearer token in thesonar.properties
file using thesonar.web.systemPasscode property
.X-Sonar-Passcode: xxxxx
header: You can useX-Sonar-passcode
during database upgrade and when SonarQube is fully operational. DefineX-Sonar-passcode
in thesonar.properties
file using thesonar.web.systemPasscode property
.- username:password and JWT token: When SonarQube is fully operational, system admins logged in with local or delegated authentication can access the endpoint.
JMX Exporter
You can also expose the JMX metrics to Prometheus using the Prometheus JMX exporter.
To use this option, set the following values in your values.yaml
file:
This downloads the Prometheus JMX exporter agent and adds it to the startup options of SonarQube. With this default configuration, the JMX metrics will be exposed on /metrics for Prometheus to scrape.
The config scope here defines a configuration that is understandable by the Prometheus JMX exporter. For more information, please Prometheus' documentation on the JMX exporter.
PodMonitor
You can collect metrics on using PodMonitor for Prometheus by defining PodMonitor as follows:
Other Configuration Options
While we only document the most pressing Helm chart customizations in this documentation, there are other possibilities for you to choose to customize the chart before installing. Please see the Helm chart README file for more information on these.
Known limitations
As SonarQube is intended to be run anywhere, there are some drawbacks that are currently known when operating in Kubernetes. This list is not comprehensive, but something to keep in mind and points for us to improve on.
Readiness and Startup delays
When persistence is disabled, SonarQube startup takes significantly longer as the Elasticsearch indexes need to be rebuilt. As this delay depends on the amount of data in your SonarQube instance, the values for the startup/readiness and liveness probes need to be adjusted to your environment. We also recommend taking a look at the default limits for the SonarQube deployment as the amount of CPU available to SonarQube also impacts the startup time.
Problems with Azure Fileshare PVC
Currently, there is a known limitation when working on AKS that resonates around the use of Azure Fileshare. We recommend using another storage class for persistency on AKS.
© 2008-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution-NonCommercial 3.0 United States License. SONARQUBE is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners.