# Customizing the DCE Helm chart

While we only document the most pressing Helm chart customizations in this documentation, there are other possibilities for you to choose to customize the chart before installing. See the [Helm chart README file](https://artifacthub.io/packages/helm/sonarqube/sonarqube-dce) and [Customize the chart before installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing) documentation for more information on these. In particular, see the recommended production use case values.

You can customize the Helm chart:

* By editing the default values in the `values.yaml` file.
* Or directly in the Helm chart installation command line.

{% hint style="info" %}
To set up:

* Monitoring: see [set-up-monitoring](https://docs.sonarsource.com/sonarqube-server/server-installation/on-kubernetes-or-openshift/set-up-monitoring "mention").
* Autoscaling: see [setting-up-autoscaling](https://docs.sonarsource.com/sonarqube-server/server-installation/data-center-edition/on-kubernetes-or-openshift/setting-up-autoscaling "mention").
* Disaster revocery: see [setting-up-disaster-recovery](https://docs.sonarsource.com/sonarqube-server/server-installation/data-center-edition/on-kubernetes-or-openshift/setting-up-disaster-recovery "mention").
  {% endhint %}

You must configure the access to your database (except if you want to use SonarQube for test purposes and want to use the embedded database H2). See [#access-to-database](https://docs.sonarsource.com/sonarqube-server/on-kubernetes-or-openshift/customizing-helm-chart#access-to-database "mention").

You can:

* Enable Openshift. See [#enabling-openshift](https://docs.sonarsource.com/sonarqube-server/on-kubernetes-or-openshift/customizing-helm-chart#enabling-openshift "mention").
* Ensure a restricted security level in your Openshift or Kubernetes installation, see [#ensuring-restricted-level](https://docs.sonarsource.com/sonarqube-server/on-kubernetes-or-openshift/customizing-helm-chart#ensuring-restricted-level "mention").
* Create an Ingress to make SonarQube accessible from outside. See [#ingress](https://docs.sonarsource.com/sonarqube-server/on-kubernetes-or-openshift/customizing-helm-chart#ingress "mention").

If you use custom certificates for your code repository, see [#custom-certificates](https://docs.sonarsource.com/sonarqube-server/on-kubernetes-or-openshift/customizing-helm-chart#custom-certificates "mention").

{% hint style="info" %}
Kubernetes services automatically discover SonarQube cluster nodes, eliminating the need to specify them in a node’s configuration.
{% endhint %}

## Storing your JWT token <a href="#storing-jwt-token" id="storing-jwt-token"></a>

To keep user sessions alive during a restart, you need to store the JWT token you generated during pre-installation (see [jwt-token](https://docs.sonarsource.com/sonarqube-server/server-installation/pre-installation/jwt-token "mention")). To do so, store the token in the `applicationNodes.jwtSecret` parameter.

## Deploying with Istio

The DCE Helm chart can be installed in clusters that have Istio pre-installed (SonarQube Server is tested using Istio in sidecar mode).

When deploying SonarQube in an Istio service mesh environment, you need to configure fixed ports for Hazelcast communication between application nodes. This is required because Istio's sidecar proxy needs to know all ports in advance for traffic management, security policies, and observability.

By default, SonarQube's Hazelcast cluster uses dynamic port allocation, which conflicts with Istio's requirement for explicit port declarations in service definitions and network policies. To ensure that Istio can properly route traffic, apply security policies, and provide telemetry for all inter-node communication within the SonarQube cluster, configure fixed ports for the Hazelcast communication channels by setting the following parameters:

* `applicationNodes.webPort`: Port used by the Web process for cluster communication.
* `applicationNodes.cePort:` Port used by the Compute Engine process for cluster communication.

**Example configuration:**

```yaml
applicationNodes:
  webPort: 4023    # Web process communication
  cePort: 4024     # Compute Engine process communication
```

## About persistence in Elasticsearch

SonarQube Server comes with a bundled Elasticsearch. As Elasticsearch is stateful, it makes sense to persist the Elasticsearch data for Data Center Edition (DCE) clusters because the cluster will survive the loss of any single search node without index corruption. Persistence is enabled for the DCE by default and managed with the Helm chart.

{% hint style="warning" %}
Disabling persistence would result in a longer startup time until SonarQube Server is fully available which can be a very large factor considering the downtime for the index rebuild on DCE clusters.
{% endhint %}

## Related pages <a href="#related-pages" id="related-pages"></a>

* [before-you-start](https://docs.sonarsource.com/sonarqube-server/server-installation/data-center-edition/on-kubernetes-or-openshift/before-you-start "mention")
* [installing-from-helm-repo](https://docs.sonarsource.com/sonarqube-server/server-installation/data-center-edition/on-kubernetes-or-openshift/installing-from-helm-repo "mention")
* [installing-from-gcp](https://docs.sonarsource.com/sonarqube-server/server-installation/data-center-edition/on-kubernetes-or-openshift/installing-from-gcp "mention")
* [set-up-monitoring](https://docs.sonarsource.com/sonarqube-server/server-installation/on-kubernetes-or-openshift/set-up-monitoring "mention")
* [setting-up-autoscaling](https://docs.sonarsource.com/sonarqube-server/server-installation/data-center-edition/on-kubernetes-or-openshift/setting-up-autoscaling "mention")
* **Configuring network security features:**
  * [elasticsearch-security-features](https://docs.sonarsource.com/sonarqube-server/server-installation/data-center-edition/network-security/elasticsearch-security-features "mention")
  * [network-rules](https://docs.sonarsource.com/sonarqube-server/server-installation/data-center-edition/network-security/network-rules "mention")