Skip to main content
Version: 3.10

SonarQube Integration

This documentation offers detailed guidance on seamlessly integrating SonarQube into KubeRocketCI. It covers essential steps to ensure a robust connection between SonarQube's code quality and security analysis capabilities with the platform's continuous delivery ecosystem, facilitating enhanced code inspection and improvement practices within your development workflow.

Prerequisites​

Before proceeding, ensure the following prerequisites are in place:

Installation​

To install SonarQube in environment, it's recommended to use the resources provided in the Cluster Add-Ons repository. This approach involves installing both the sonarqube and the sonar-operator. Leveraging the Cluster Add-Ons simplifies the deployment and management process, providing a streamlined method to integrate SonarQube into infrastructure.

  1. Navigate to the forked cluster Add-Ons repository and align the sonar values.yaml and sonar-operator values.yaml files. Follow the instructions to deploy sonarqube, ensuring it's correctly configured to serve as artifact repository.

  2. Update the configuration to enable sonar and sonar-operator in Add-Ons repository:

    clusters/core/apps/values.yaml
    sonar:
    createNamespace: true
    enable: true

    sonar-operator:
    createNamespace: true
    enable: true
  3. Sync resources and wait till the all sonar and sonar-operator resources is created:

    sonarqube ArgoCD applications

  4. Sign In into sonarqube using the default credentials Username: admin and Password: admin and update the default password for better security for that click on profile icon in the upper right corner, click on Security, enter a new password and click Update button:

    sonarqube change password

Applying GitOps approach installation changes​

To update SonarQube configurations:

  1. Modify the relevant configuration files in the forked add-ons repository.
  2. Commit and push the changes to the forker Git repository.
  3. Synchronize the changes with ArgoCD.

Configuration​

With Add-ons approach add predefined SonarQube plugins and sonar-operator create the necessary groups, users, permission templates, quality profiles, quality gates automatically by deploy preconfigured custom resources. Manage these configurations centrally through a GitOps-based workflow.

Configuration SonarQube with sonar-operator​

  1. Create a Kubernetes Secret that the sonar-operator will use to connect to the sonarqube and create all resources:
apiVersion: v1
kind: Secret
metadata:
name: sonar-admin-password
namespace: sonar
type: Opaque
data:
user: YWRtaW4= # base64-encoded value of "admin"
password: cGFzcw== # base64-encoded value of "pass"
  1. Create a secret using manifests or with External Secrets Operator to enable the sonar-operator to connect to the sonarqube for provisioning:
apiVersion: v1
kind: Secret
metadata:
name: ci-sonar
namespace: sonar
type: Opaque
stringData:
password: <sonar-ci-password>

SonarQube configuration overview with sonar-operator​

Plugin Management​

The SonarQube instance includes pre-installed plugins to meet common project needs. Additional plugins, if required, can be installed by updating the SonarQube values.yaml file in the forked add-ons repository.

Group Permissions​

Access control in SonarQube is organized through predefined groups:

  • sonar-administrators: System administrators with full access to manage the instance.

  • sonar-developers: Developers who can view and edit project settings (managed by the Sonar Operator).

  • sonar-users: Default group for all authenticated users with basic project viewing rights.

  • view-group: Grants browsing access for users requiring read-only permissions.

    sonarqube kuberocketci permission template

Permission Templates​

Permissions in SonarQube are associated with projects through permission templates:

  • edp-default: The default template applied to all projects, ensuring consistent group-level access management across the platform.

Quality Gates​

Quality Gates are used to ensure that code quality standards are met before further development or deployment proceeds:

  • EDP way (default): KuberocketCI quality gates are defined in the SonarQube instance, specifically tailored for the KubeRocketCI project.

  • Sonar way (built-in): These are predefined quality gates available directly in SonarQube, not customized for any specific project but rather standardized for general use.

    sonarqube kuberocketci quality gate

Quality Profiles​

Quality Profiles define the rules used during code analysis. The Sonar Operator manages quality profiles with the following default setup:

  • EDP way (default): A Java quality profile based on KubeRocketCI best practices, offering tailored rule sets.

Configuration SonarQube ci-user without sonar-operator​

To establish robust authentication and precise access control, generating a SonarQube token is essential. This token is a distinct identifier, enabling effortless integration between SonarQube and KubeRocketCI. To generate the SonarQube token, proceed with the following steps:

  1. Open the SonarQube UI and navigate to Administration -> Security -> User. Create a new user or select an existing one. Click the Options List icon to create a token:

    SonarQube user settings

  2. Type the ci-user username, define an expiration period, and click the Generate button to create the token:

    SonarQube create token

  3. Click the Copy button to copy the generated <Sonarqube-token>:

    SonarQube token

Integration SonarQube with KubeRocketCI​

For provision secret using manifest, KubeRocketCI portal or with the externalSecrets operator:

Go to the Portal open Configuration -> CODE QUALITY -> SONARQUBE. Update or click + ADD INTEGRATION fill in the URL and Token fields and click the Save button:

SonarQube update manual secret

Project Analysis Flow​

  1. SonarQube analysis is seamlessly integrated into KubeRocketCI pipelines, triggered during both review and build pipelines:
  • Review Pipeline: Analyzes only the changes made in a pull request.
  • Build Pipeline: Analyzes the main branch codebase to ensure overall project quality.
  1. SonarQube projects are named based on the corresponding KubeRocketCI project names, making it easy to navigate analysis results in the SonarQube UI mode details how to configure repo project-project.settings:

    SonarQube project