Login Registration

Deploy SonarQube and plugin sonarqube-community-branch-plugin on kubernetes with Terraform

01 September 2023, by Goodman. Last update at 03 November 2023

devops
security
kubernetes

Create terraform configurations

main.tf

terraform {
  required_version = ">= 1.5.4"
  required_providers {
    helm = {
     source  = "hashicorp/helm"
     version = "~> 2.10.1"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.22.0"
    }
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.11.0"
    }
  }
}

provider "helm" {
  kubernetes {
    host                   = module.eks.cluster_endpoint
    cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)

    exec {
      api_version = "client.authentication.k8s.io/v1beta1"
      command     = "aws"
      args = ["eks", "get-token", "--cluster-name", module.eks..cluster_name]
    }
  }
}

provider "kubernetes" {
  host                   =  module.eks.cluster_endpoint
  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)

  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "aws"
    # This requires the awscli to be installed locally where Terraform is executed
    args = ["eks", "get-token", "--cluster-name", module.eks..cluster_name]
  }
}

data.tf

SonarQube admin user from aws ssm

# SonarQube admin user account
data "aws_ssm_parameter" "sonarqube" {
  name = "/sonarqube/admin_user"
}

helm-sonarqube.tf

Apply helm by terraform 

resource "kubernetes_namespace" "sonarqube" {
  metadata {
    name = "sonarqube"
  }
}

resource "helm_release" "sonarqube" {
  name       = "sonarqube"
  namespace  = kubernetes_namespace.sonarqube.metadata[0].name
  repository = "https://SonarSource.github.io/helm-chart-sonarqube"
  chart      = "sonarqube"
  version    = "10.1.0+628"

  values = [
    templatefile("configs/sonarqube.yaml", {
      "username": jsondecode(data.aws_ssm_parameter.sonarqube.value).username,
      "password": jsondecode(data.aws_ssm_parameter.sonarqube.value).password
    })
  ]

  depends_on = [
      kubernetes_namespace.sonarqube
  ]
}

confins/sonarqube.yaml

account:
  adminPassword: ${username}
  currentAdminPassword: "${password}"

# deploymentType: "Deployment"

ingress:
  enabled: true
  hosts:
    - name: sonarqube.devops.kyiv.ua
      path: /
  annotations:
    external-dns.alpha.kubernetes.io/hostname: sonarqube.devops.kyiv.ua
    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
    external-dns.alpha.kubernetes.io/ttl: "120"
    cert-manager.io/cluster-issuer: "sonarcube-cert"
    nginx.ingress.kubernetes.io/proxy-body-size: "64m"

  tls:
    - hosts:
        - sonarqube.devops.kyiv.ua
      secretName: sonarqube-tls

plugins:
  install:
    - https://github.com/vaulttec/sonar-auth-oidc/releases/download/v2.1.1/sonar-auth-oidc-plugin-2.1.1.jar
    - https://github.com/cnescatlab/sonar-cnes-report/releases/download/4.2.0/sonar-cnes-report-4.2.0.jar
    # TODO: https://github.com/mc1arke/sonarqube-community-branch-plugin/issues/782
    - https://raw.githubusercontent.com/oleksandr-mazur/sonarqube-community-branch-plugin/master/sonarqube-community-branch-plugin-1.15.0.jar 

sonarProperties:
  sonar.web.javaOpts: "-javaagent:/opt/sonarqube/extensions/plugins/sonarqube-community-branch-plugin-1.15.0.jar=web"
  sonar.ce.javaOpts: "-javaagent:/opt/sonarqube/extensions/plugins/sonarqube-community-branch-plugin-1.15.0.jar=ce"

apply configuration

$ terraform apply