This is a modified Docker image based on the public sonarqube:latestimage, but it has been modified to allow permissions to be run in an OpenShift environment.
- ability to define plugins to be installed the first time the container is run.
- supports for persistent volumes for configuration, plugins & elastic indices
- additional configuration options
- ability to login using the OpenShift provided OAuth server (enabled by default) - see plugin docs for configuration and disable information
NOTE: By default this image will disable memory mapping in Elasticsearch. See upstream issues #310 & SONAR-12264. This is not suitable for production use. This can be changed by using an older version of sonarqube, add
-e upstream_sq_version=7.7-community -e sonar_search_java_additional_opts=''to theansible-playbookcommand below
- Clone this repository:
git clone https://github.com/redhat-cop/containers-quickstarts cd containers-quickstarts/sonarqube- Run
ansible-galaxy install -r requirements.yml --roles-path=galaxy - Login to OpenShift:
oc login -u <username> https://master.example.com:8443
There are a couple of settings that may need to be configured in order for this to work properly. By default authorization is determined by the users membership in the groups sonar-administrators for admins and sonar-users for ordinary users. To change the group association review the configuration instructions here. To create a custom group see the example here.
In many cases the certs that are associated with the pod are the same as those associated with the OpenShift oauth server. If true, then no configuration is necessary. If the cert is not the same than you will need to provide the correct cert. Your 2 options are to ignore the cert ignore.certs=true (only do this for testing puropses) or provide the correct cert. See here for instructions.
Run the openshift-applier to create the SonarQube project and deploy required objects
ansible-playbook -i .applier galaxy/openshift-applier/playbooks/openshift-cluster-seed.yml
Once the SonarQube is running you need to login using username admin and password admin.
A first time setup wizard will launch that will create the first project and security token.
Save this security token as it needs to be manually set to your Jenkins server.
Go to: Manage Jenkins -> Configure System -> SonarQube Servers.
- Select
Enable injection of SonarQube server configuration as build environment variables Namecan be anything usually it's justsonarServer URLshould behttp://sonarqube:9000if deployed to same project as JenkinsServer authentication tokenshould be the one you got from SonarQube
Once this is setup the Jenkins pipelines have environment variables required to use SonarQube plugins.
For example for NodeJS project you could run the SonarQube with following Jenkins pipeline script:
script {
def scannerHome = tool 'sonar-scanner-tool';
withSonarQubeEnv('sonar') {
sh "${scannerHome}/bin/sonar-runner"
}
}
By default, SonarQube will use H2 embedded, which is only for demo usage. To use a proper database, set JDBC_USERNAME, JDBC_PASSWORD and JDBC_URL per the docs.
When the container image is built, the Dockerfile has hardcoded list of plugins that are installed.
Some configuration settings are well defined, but you can always pass additional configuration using the catchall
SONARQUBE_WEB_JVM_OPTS. Any Java properties placed in this environment variable will be passed to the SonarQube
application. The format of the Java properties is like -Dsome.java.property=someValue, so you can add an environment
variable like SONARQUBE_WEB_JVM_OPTS="-Dsonar.auth.google.allowUsersToSignUp=false -Dsonar.auth.google.enabled=true"
- Variable: SONAR_PLUGINS_LIST
- displayName: SonarQube Plugins List
- Description: "Space separated list of plugins See: here"
- Default Value: findbugs pmd ldap buildbreaker github gitlab
- Variable: SONARQUBE_WEB_JVM_OPTS
- displayName: Extra SonarQube startup properties
- Description: Extra startup properties for SonarQube (in the form of "-Dsonar.someProperty=someValue")
- Default Value:
- Variable: JDBC_USERNAME
- Description: Username for database user that will be used for accessing the database.
- displayName: database Connection Username
- from: user[A-Z0-9]{3}
- generate: expression
- Required: true
- Variable: JDBC_PASSWORD
- Description: Password for the database connection user.
- displayName: database Connection Password
- from: '[a-zA-Z0-9]{16}'
- generate: expression
- Required: true
- Variable: JDBC_URL
- displayName: JDBC URL for connecting to the SonarQube database
- Description: Password used for SonarQube database authentication (leave blank to use ephemeral database)
- Default Value: "jdbc:postgresql://postgresql:5432/sonar"
- Variable: LDAP_BINDDN
- displayName: LDPA bind Distinguished Name
- Description: Bind DN for LDAP authentication (leave blank for local authentication)
- Default Value:
- Variable: LDAP_BINDPASSWD
- displayName: LDAP bind password
- Description: Bind password for LDAP authentication (leave blank for local authentication)
- Default Value:
- Variable: LDAP_URL
- displayName: LDAP server URL
- Description: LDAP URL for authentication (leave blank for local authentication)
- Default Value:
- Variable: LDAP_REALM
- displayName: LDAP realm
- Description: "A realm defines the namespace from which the authentication entity (the value of the Context.SECURITY_PRINCIPAL property) is selected. See: here"
- Default Value:
- Variable: LDAP_CONTEXTFACTORY
- displayName: JNDI ContextFactory to be used
- Description: The context factory is a Java class which is used for creating bindings to LDAP servers. The default value should work with most LDAP servers.
- Default Value: com.sun.jndi.ldap.LdapCtxFactory
- Variable: LDAP_STARTTLS
- displayName: Enable StartTLS
- Description: Tells the LDAP plugin to use TLS for connections to the LDAP server
- Default Value: "false"
- Variable: LDAP_AUTHENTICATION
- displayName: LDAP authentication method
- Description: "Typical values include: simple | CRAM-MD5 | DIGEST-MD5 | GSSAPI"
- Default Value: simple
- Variable: LDAP_USER_BASEDN
- displayName: LDAP user base Distinguished Name
- Description: LDAP BaseDN under which to search for user objects
- Default Value:
- Variable: LDAP_USER_REQUEST
- displayName: LDAP user object filter
- Description: A filter definition which will cause the LDAP server to only return user objects
- Default Value: (&(objectClass=inetOrgPerson)(uid={login}))
- Variable: LDAP_USER_REAL_NAME_ATTR
- displayName: LDAP user's real name atrribute
- Description: LDAP attribute on the user object which will be used to get the user's full name
- Default Value: cn
- Variable: LDAP_USER_EMAIL_ATTR
- displayName: LDAP user e-mail attribute
- Description: LDAP attribute which holds the user's e-mail address
- Default Value: mail
- Variable: LDAP_GROUP_BASEDN
- displayName: LDAP group base Distinguished Name
- Description: LDAP BaseDN under which to search for group objects
- Default Value:
- Variable: LDAP_GROUP_REQUEST
- displayName: LDAP group object filter
- Description: A filter definition which will cause the LDAP server to only return group objects
- Default Value: (&(objectClass=groupOfUniqueNames)(uniqueMember={dn}))
- Variable: LDAP_GROUP_ID_ATTR
- displayName: LDAP group ID attribute
- Description: LDAP attribute from the group object which holds the group's ID
- Default Value: cn
- Variable: SONARQUBE_BUILDBREAKER_MAX_ATTEMPTS
- displayName: Max BuildBreaker attempts
- Description: Build Breaker plugin - Max number of poll attempts before failing to get analysis results
- Default Value: "30"
- Variable: SONARQUBE_BUILDBREAKER_INTERVAL
- displayName: Poll Interval
- Description: Build Breaker plugin - Interval to wait between poll requests to get analysis results
- Default Value: "20000"
- Variable: SONARQUBE_BUILDBREAKER_THRESHOLD
- displayName: Failure threshold
- Description: Build Breaker plugin - Threshold of an issue at which a build will instantly break regardless of all other analysis results
- Default Value: "CRITICAL"
- Variable: SONAR_BUILDBREAKER_DISABLE
- displayName: Disable Build Breaker plugin
- Description: Build Breaker plugin - Disable the build breaker plugin for all builds
- Default Value: "true"
- Variable: FORCE_AUTHENTICATION
- displayName: Require Authentication
- Description: Require authentication for all requests to sonarqube
- Default Value: "true"
- Variable: SONAR_SEARCH_JAVA_ADDITIONAL_OPTS
- displayName: Add sonar.search.javaAdditionalOpts
- Description: Pass in additional Java opts to ElasticSearch
- Default Value:
POSTGRES_DATABASE_NAME=sonar
POSTGRES_PASSWORD=sonar
POSTGRES_USERNAME=sonar
SONAR_LDAP_STARTTLS=true
SONAR_LDAP_BIND_DN=uid=admin,CN=users,CN=compat,DC=mycompany,DC=com
SONAR_LDAP_BIND_PASSWORD='S0m3P4s$woRd'
SONAR_LDAP_URL=ldaps://idm.mycompany.com:389
SONAR_LDAP_AUTHENTICATION=simple
SONAR_LDAP_USER_BASEDN=DC=mycompany,DC=com
SONAR_LDAP_USER_REAL_NAME_ATTR=cn
SONAR_LDAP_USER_EMAIL_ATTR=mail
SONAR_LDAP_USER_REQUEST=(&(objectClass=inetOrgPerson)(uid={login}))
SONAR_LDAP_GROUP_REQUEST=(&(objectClass=posixgroup)(memberUid={uid}))
SONAR_LDAP_GROUP_BASEDN=DC=mycompany,DC=com
SONAR_LDAP_GROUP_ID_ATTR=cn
SONAR_AUTOCREATE_USERS=true
SONAR_AUTH_REALM=LDAP
POSTGRES_DATABASE_NAME=sonar
POSTGRES_PASSWORD=sonar
POSTGRES_USERNAME=sonar
SONAR_LDAP_STARTTLS=false
SONAR_LDAP_BIND_DN=uid=admin,CN=users,CN=compat,DC=mycompany,DC=com
SONAR_LDAP_BIND_PASSWORD='S0m3P4s$woRd'
SONAR_LDAP_URL=ldap://mycompany.com:389
SONAR_LDAP_AUTHENTICATION=simple
SONAR_LDAP_USER_BASEDN=DC=mycompany,DC=com
SONAR_LDAP_USER_REAL_NAME_ATTR=cn
SONAR_LDAP_USER_EMAIL_ATTR=mail
SONAR_LDAP_USER_REQUEST=(&(objectClass=user)(sAMAccountName={login}))
SONAR_LDAP_GROUP_REQUEST=(&(objectClass=group)(member={dn}))
SONAR_LDAP_GROUP_BASEDN=DC=mycompany,DC=com
SONAR_LDAP_GROUP_ID_ATTR=cn
SONAR_AUTOCREATE_USERS=true
SONAR_AUTH_REALM=LDAP