Deploy a SonarQube cluster on Kubernetes
This page applies to deploying SonarQube Data Center Edition on Kubernetes. For information on deploying Community, Developer, and Enterprise editions of SonarQube on Kubernetes, see this documentation.
Overview
You can find the SonarQube DCE Helm chart on GitHub.
Your feedback is welcome at our community forum.
Kubernetes environment recommendations
When you want to operate SonarQube on Kubernetes, consider the following recommendations.
Supported Versions
The SonarQube helm chart should only be used with the latest version of SonarQube and a supported version of Kubernetes. There is a dedicated helm chart for the LTS version of SonarQube that follows the same patch policy as the application, while also being compatible with the supported versions of Kubernetes.
Pod Security Policies
The following widely-used Pod Security Policies cannot be used in combination with SonarQube:
- Privileged - The SonarQube images are currently intended to start as root in order to provision the PVC and drop to lower privileges after that.
- ReadOnlyFileSystem - SonarQube is doing some filesystem operations to the container filesystem in order to deploy the correct language analyzers and community plugins.
- MustRunAsNonRoot - There is a init container that needs to run privileged to ensure that the Elasticsearch requirements to the specific node are fulfilled.
Helm chart specifics
We try to provide a good default with the Helm chart, but there are some points to consider while working with SonarQube on Kubernetes. Please read the following sections carefully to make the correct decisions for your environment.
Installation
Currently only Helm 3 is supported.
To install the Helm chart from Helm Repository, you can use the following commands:
Persistency
SonarQube comes with a bundled Elasticsearch and, as Elasticsearch is stateful, so is SonarQube. For Data Center Edition (DCE) clusters, it makes sense to persist the Elasticsearch data because the cluster will survive the loss of any single search node without index corruption. By default, persistency is enabled for the DCE, and managed with the Helm chart.
Enabling persistency decreases the project reload time so that accessing project data is much faster. Although there is no need to change the default value in DCE, you can manage persistency with the following parameter in the values.yaml
:
Disabling persistency would result in a longer startup time until SonarQube is fully available which can be a very large factor considering the downtime for the index rebuild on DCE clusters.
Ingress Creation
To make the SonarQube service accessible from outside of your cluster, you most likely need an ingress. Creating a new ingress is also covered by the Helm chart. See the following section for help with creating one.
Ingress Class
The SonarSource Helm chart has an optional dependency to the NGINX-ingress helm chart. If you already have NGINX-ingress present in your cluster, you can use it.
If you want to install NGINX as well, add the following to your values.yaml
.
We recommend using the ingress-class
NGINX with a body size of at least 8MB. This can be achieved with the following changes to your values.yaml
:
Monitoring
You can monitor your SonarQube cluster using SonarQube's native integration with Prometheus. Through this integration, you can ensure your cluster is running properly and know if you need to take action to prevent future issues.
Prometheus monitors your SonarQube cluster by collecting metrics from the /api/monitoring/metrics
endpoint. Results are returned in OpenMetrics text format. See Prometheus' documentation on Exposition formats for more information on the OpenMetrics text format.
Monitoring through this endpoint requires authentication. You can access the endpoint following ways:
Authorization:Bearer xxxx
header: You can use a bearer token during database upgrade and when SonarQube is fully operational. Define the bearer token in thesonar.properties
file using thesonar.web.systemPasscode property
.X-Sonar-Passcode: xxxxx
header: You can useX-Sonar-passcode
during database upgrade and when SonarQube is fully operational. DefineX-Sonar-passcode
in thesonar.properties
file using thesonar.web.systemPasscode property
.- username:password and JWT token: When SonarQube is fully operational, system admins logged in with local or delegated authentication can access the endpoint.
JMX Exporter
You can also expose the JMX metrics to Prometheus with the help of the Prometheus JMX exporter.
To use this option, set the following values in your values.yaml
file:
This downloads the Prometheus JMX exporter agent and adds it to the startup options of SonarQube. With this default configuration, the JMX metrics will be exposed on /metrics for Prometheus to scrape.
The config scope here defines a configuration that is understandable by the Prometheus JMX exporter. For more information, please Prometheus' documentation on the JMX exporter.
PodMonitor
You can collect metrics on application nodes using PodMonitor for Prometheus. Search node monitoring is not currently supported. To monitor applications nodes, define PodMonitor as follows:
Log Format
SonarQube prints all logs in plain-text to stdout/stderr. It can print logs as JSON-String if the variable logging.jsonOutput
is set to true
. This will enable log collection tools like Loki to do post processing on the information that are provided by the application.
LogQL Example
With JSON Logging enabled, you can define a LogQL Query like this to filter only logs with the severity "ERROR" and display the Name of the Pod as well as the Message:
ES Cluster Authentication
Since SonarQube 8.9, you can enable basic security for the Search Cluster in SonarQube. To benefit from this additional layer of security on Kubernetes as well, you need to provide a PKCS#11 Container with the required certificates to our Helm chart. The required secret can be created like this:
Other Configuration Options
This documentation only contains the most important Helm chart customizations. See the Customize the chart before installing documentation and the Helm chart README for more possibilities on customizing the Helm chart.
Known limitations
Problems with Azure Fileshare PVC
Currently, there is a known limitation when working on AKS that resonates around the use of Azure Fileshare. We recommend using another storage class for persistency on AKS.
Was this page helpful?