SonarQube maintenance (#1343)

Author: BraisVQ

.github/workflows/continuous-integration-workflow.yml

@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        version: ['10.8.0'] # 9.9 = LTS
+        version: ['2025.5.0']
         edition: ['developer', 'enterprise']
     steps:
       -
@@ -66,6 +66,21 @@ jobs:
         run: |
           cd sonarqube && ./test.sh --sq-version=${{ matrix.version }} --sq-edition=${{ matrix.edition }}
 
+  sonarqube-postgresql:
+    name: SonarQube PostgreSQL tests
+    runs-on: ubuntu-22.04
+    steps:
+      -
+        name: Checkout repository
+        uses: actions/checkout@v4.2.2
+      -
+        name: Build docker image
+        run: |
+          ./.github/workflows/build-docker-image.sh \
+          --imagename ods-sonarqube-postgresql \
+          --dockerdir sonarqube/docker \
+          --dockerfile Dockerfile.database
+
   nexus:
     name: Nexus tests
     runs-on: ubuntu-22.04

CHANGELOG.md

@@ -8,6 +8,7 @@
 - Change Cnes report to custom SonarQube report ([#1354](https://github.com/opendevstack/ods-core/pull/1354))
 - Adapted Sonarqube server configuration to make projects private and have custom gate ([#1347](https://github.com/opendevstack/ods-core/pull/1347))
 - Update Aqua cli to 2022.4.829 ([#1353](https://github.com/opendevstack/ods-core/pull/1353))
+- Update SonarQube and use local image for database ([#1343](https://github.com/opendevstack/ods-core/pull/1343))
 
 ### Fixed
 

Makefile

@@ -131,13 +131,13 @@ apply-sonarqube-chart:
 
 ## Start build of BuildConfig "sonarqube".
 start-sonarqube-build:
-	ocp-scripts/start-and-follow-build.sh --namespace $(ODS_NAMESPACE) --build-config sonarqube
+	ocp-scripts/start-and-follow-build.sh --namespace $(ODS_NAMESPACE) --build-config sonarqube && ocp-scripts/start-and-follow-build.sh --namespace $(ODS_NAMESPACE) --build-config sonarqube-postgresql
 	@echo "Visit $(SONARQUBE_URL)/setup to see if any update actions need to be taken."
 .PHONY: start-sonarqube-build
 
 ## Configure SonarQube service.
 configure-sonarqube:
-	cd sonarqube && ./configure.sh --sonarqube=$(SONARQUBE_URL) $(INSECURE_FLAG)
+	cd sonarqube && ./configure.sh --sonarqube=$(SONARQUBE_URL) --database-config=true $(INSECURE_FLAG)
 .PHONY: configure-sonarqube
 
 
@@ -181,20 +181,14 @@ start-opentelemetry-collector-build:
 
 # BACKUP
 ## Create a backup of the current state.
-backup: backup-sonarqube backup-ocp-config
+backup: backup-ocp-config
 .PHONY: backup
 
 ## Create a backup of OpenShift resources in "ods" namespace.
 backup-ocp-config:
 	tailor export --namespace $(ODS_NAMESPACE) > backup_ods.yml
 .PHONY: backup-ocp-config
 
-## Create a backup of the SonarQube database in backup storage and in the current directory.
-backup-sonarqube:
-	cd sonarqube && ./backup.sh --namespace $(ODS_NAMESPACE) --local-copy=true --backup-dir `pwd`
-.PHONY: backup-sonarqube
-
-
 # PVC MIGRATION
 ## Migrate data from one PVC to another. Options: SOURCE_PVC, TARGET_PVC, THREADS (default: 5), CPU_REQUEST (default: 1), MEMORY (default: 2)
 migrate-pvc-data:

configuration-sample/ods-core.env.sample

@@ -89,7 +89,7 @@ NEXUS_STORAGE_PROVISIONER="ebs.csi.aws.com"
 # Storage class for Nexus data, for AWS this should be "gp3-csi"
 NEXUS_STORAGE_CLASS_DATA="gp3-csi"
 
-# Storage class for Nexus backup, for AWS this should be "gp2-encrypted"
+# Storage class for Nexus backup, for AWS this should be "csi-aws-vsc"
 NEXUS_STORAGE_CLASS_BACKUP="csi-aws-vsc"
 
 # Nexus snapshot configuration, default to run daily at 2 AM
@@ -124,6 +124,8 @@ SONAR_ADMIN_PASSWORD_B64=changeme
 # Authentication token used by sonar-scanner-cli from Jenkins pipelines.
 # Do not change the value manually - the token is created and set automatically during "make configure-sonarqube".
 SONAR_AUTH_TOKEN_B64=changeme
+# Web authetification code, needed for liveness Probe
+SONAR_WEB_SYSTEMPASSCODE_B64=changeme
 
 # Toggle authentication via SAML
 SONAR_AUTH_SAML='true'
@@ -138,14 +140,17 @@ SONAR_SAML_CERTIFICATE_B64=changeme
 # Image to use for the PostgreSQL database. This needs to be compatible with
 # your SonarQube version, see https://docs.sonarqube.org/latest/requirements/requirements/.
 # Take care when upgrading either database or SQ version.
-# E.g. registry.redhat.io/rhel9/postgresql-15
-SONAR_DATABASE_IMAGE=docker-registry.default.svc:5000/openshift/postgresql:15
+# E.g. registry.redhat.io/rhel10/postgresql-16
+SONAR_DATABASE_IMAGE=registry.redhat.io/rhel10/postgresql-16
 # Connection string for JDBC. Typically this does not need to be changed.
 SONAR_DATABASE_JDBC_URL=jdbc:postgresql://sonarqube-postgresql:5432/sonarqube
 # Database name for SonarQube. Typically this does not need to be changed.
 SONAR_DATABASE_NAME=sonarqube
 # Password of SonarQube database - should be set to a secure password.
 SONAR_DATABASE_PASSWORD_B64=changeme
+SONAR_DATABASE_SUPER_NAME=super_sonarqube
+# Super Password of SonarQube database - should be set to a secure password.
+SONAR_DATABASE_SUPER_PASSWORD_B64=changeme
 # User of SonarQube database. Typically this does not need to be changed.
 SONAR_DATABASE_USER=sonarqube
 
@@ -157,29 +162,62 @@ SONAR_EDITION=developer
 # SonarQube version.
 # See Dockerhub https://hub.docker.com/_/sonarqube/tags
 # Officially supported is:
-# - 10.8.0
-SONAR_VERSION=10.8.0
+# - 2025.5.0
+SONAR_VERSION=2025.5.0
 
 # SonarQube memory and CPU resources
-SONARQUBE_CPU_REQUEST=200m
-SONARQUBE_MEMORY_REQUEST=2Gi
-SONARQUBE_CPU_LIMIT=1
-SONARQUBE_MEMORY_LIMIT=4Gi
+SONARQUBE_CPU_REQUEST=300m
+SONARQUBE_MEMORY_REQUEST=5Gi
+SONARQUBE_CPU_LIMIT=2
+SONARQUBE_MEMORY_LIMIT=5Gi
 
 # SonarQube data and backup capacity
 SONARQUBE_DATA_CAPACITY=2Gi
 SONARQUBE_EXTENSIONS_CAPACITY=1Gi
 
 # SonarQube database memory and CPU resources
-SONARQUBE_DB_CPU_REQUEST=100m
-SONARQUBE_DB_MEMORY_REQUEST=256Mi
-SONARQUBE_DB_CPU_LIMIT=1
+SONARQUBE_DB_CPU_REQUEST=200m
+SONARQUBE_DB_MEMORY_REQUEST=512Mi
+SONARQUBE_DB_CPU_LIMIT=2
 SONARQUBE_DB_MEMORY_LIMIT=512Mi
 
 # SonarQube database and backup capacity
 SONARQUBE_DB_CAPACITY=2Gi
 SONARQUBE_DB_BACKUP_CAPACITY=1Gi
 
+# SonarQube data storage name
+SONARQUBE_DATA_STORAGE_NAME="sonarqube-data-storage"
+
+# Storage class provisioner for SonarQube data, for AWS this should be "ebs.csi.aws.com"
+SONARQUBE_STORAGE_PROVISIONER=""
+
+# Storage class for SonarQube data, for AWS this should be "gp3-csi"
+SONARQUBE_STORAGE_CLASS_DATA=""
+
+# Storage class provisioner for fast SonarQube storage, for AWS this should be "ebs.csi.aws.com"
+SONARQUBE_FAST_STORAGE_PROVISIONER="ebs.csi.aws.com"
+
+# Storage class for fast SonarQube data, for AWS this should be "gp3-csi"
+SONARQUBE_FAST_STORAGE_CLASS_DATA="gp3-csi"
+
+# Storage class for fast SonarQube backup, for AWS this should be "csi-aws-vsc"
+SONARQUBE_FAST_STORAGE_CLASS_BACKUP="csi-aws-vsc"
+
+# SonarQube backup configuration, default to run daily at 2 AM
+SONARQUBE_BACKUP_SCHEDULE="0 2 * * *"
+
+# SonarQube DB backup TTL in days (default: 30 days)
+SONARQUBE_DB_BACKUP_TTL=30
+
+# SonarQube scan configuration
+SONAR_SCAN_ENABLED="true"
+SONAR_SCAN_EXCLUSIONS=".json,.xml,**/__pycache__/**,**/*.pyc,/venv/,/.venv/,/site-packages/,/node_modules/,/dist/,/build/,/out/,/coverage/,/.next/,/.parcel-cache/,/target/,/.gradle/,/.mvn/,/vendor/,/bin/,/obj/,/build/libs/,/.terraform/,/pkg/,/android/,/ios/,/www/,/target/**,/Cargo.lock,/target/,/**/*.class,/**/*.jar,/**/*.war"
+SONAR_SCAN_NEXUS_REPOSITORY=leva-documentation
+SONAR_SCAN_ALERT_EMAILS=
+SONAR_SCAN_PROJECTS_PRIVATE="false"
+SONAR_SCAN_ACCOUNT=cd-user-with-password
+
+
 #########
 # Jira #
 #########

jenkins/agent-base/Dockerfile.ubi8

@@ -2,8 +2,8 @@ FROM quay.io/openshift/origin-jenkins-agent-base
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-ENV SONAR_SCANNER_VERSION=6.2.1.4610 \
-    SONAR_REPORT_VERSION=1.1 \
+ENV SONAR_SCANNER_VERSION=7.3.0.5189 \
+    SONAR_REPORT_VERSION=1.2 \
     COSIGN_VERSION=2.4.3 \
     TAILOR_VERSION=1.3.4 \
     SOPS_VERSION=3.9.0 \

nexus/chart/templates/nexus-snapshot-cronjob.yaml

@@ -1,19 +1,20 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  name: nexus-volume-snapshot
+  name: {{ .Values.global.appName }}-volume-snapshot
   labels:
-    app: nexus
+    app: {{ .Values.global.appName }}
 spec:
   schedule: "{{ .Values.global.nexusSnapshotSchedule }}"
   concurrencyPolicy: Forbid
+  startingDeadlineSeconds: 3600
   suspend: false
   jobTemplate:
     spec:
-      ttlSecondsAfterFinished: {{ .Values.global.nexusSnapshotTTL }}
+      backoffLimit: 0
+      ttlSecondsAfterFinished: 604800
       template:
         spec:
-          backoffLimit: 0
           serviceAccountName: ods-edit
           containers:
           - name: snapshot-creator
@@ -35,27 +36,6 @@ spec:
                 source:
                   persistentVolumeClaimName: {{ .Values.global.nexusStorageName }}
               EOF
-
-              # Wait for the VolumeSnapshot to become Ready (configurable timeout)
-              TIMEOUT={{ .Values.global.nexusSnapshotCheckTimeout }}
-              INTERVAL=30
-              elapsed=0
-              TIMED_OUT=0
-              echo "Waiting for VolumeSnapshot $SNAP_NAME to be ready (timeout: $TIMEOUT seconds)..."
-              until [ $elapsed -ge $TIMEOUT ]; do
-                ready=$(oc get volumesnapshot "$SNAP_NAME" -n {{ .Values.global.odsNamespace }} -o jsonpath='{.status.readyToUse}' 2>/dev/null || echo "false")
-                if [ "$ready" = "true" ]; then
-                  echo "VolumeSnapshot $SNAP_NAME is ready"
-                  break
-                fi
-                sleep $INTERVAL
-                elapsed=$((elapsed + INTERVAL))
-                echo "  ... waited $elapsed seconds out of $TIMEOUT seconds"
-              done
-              if [ $elapsed -ge $TIMEOUT ]; then
-                echo "Timeout waiting for VolumeSnapshot $SNAP_NAME to be ready" >&2
-                exit 1
-              fi
             resources:
               limits:
                 cpu: '1'
@@ -65,5 +45,6 @@ spec:
                 memory: 256Mi
             imagePullPolicy: IfNotPresent
           restartPolicy: Never
+          terminationGracePeriodSeconds: 30
   successfulJobsHistoryLimit: 30
   failedJobsHistoryLimit: 30

nexus/chart/templates/snapshot-cleanup-cronjob.yaml

@@ -7,13 +7,14 @@ metadata:
 spec:
   schedule: "{{ .Values.global.nexusSnapshotCleanupSchedule }}"
   concurrencyPolicy: Forbid
+  startingDeadlineSeconds: 3600
   suspend: false
   jobTemplate:
     spec:
-      ttlSecondsAfterFinished: {{ int .Values.global.nexusSnapshotTTL }}
+      backoffLimit: 0
+      ttlSecondsAfterFinished: 604800
       template:
         spec:
-          backoffLimit: 0
           serviceAccountName: ods-edit
           containers:
           - name: snapshot-cleaner

sonarqube/backup.sh sonarqube/backup_old.shsonarqube/backup.sh renamed to sonarqube/backup_old.sh

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.1
+version: 1.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "10.8.0"
+appVersion: "2025.5.0"

sonarqube/chart/Chart.yaml

@@ -0,0 +1,40 @@
+apiVersion: build.openshift.io/v1
+kind: BuildConfig
+metadata:
+  labels:
+    app: {{ .Values.global.appName }}
+  name: {{ .Values.global.appName }}-postgresql
+spec:
+  failedBuildsHistoryLimit: 5
+  nodeSelector: null
+  output:
+    to:
+      kind: ImageStreamTag
+      name: {{ printf "%s-postgresql:%s" .Values.global.appName .Values.global.odsImageTag }}
+  postCommit: {}
+  resources:
+    limits:
+      cpu: {{ .Values.buildConfig.cpuLimit }}
+      memory: {{ .Values.buildConfig.memLimit }}
+    requests:
+      cpu: {{ .Values.buildConfig.cpuRequest }}
+      memory: {{ .Values.buildConfig.memRequest }}
+  runPolicy: Serial
+  source:
+    contextDir: sonarqube/docker
+    git:
+      uri: {{ .Values.global.repoBase }}/{{ .Values.global.odsBitBucketProject }}/ods-core.git
+      ref: {{ .Values.global.odsGitRef }}
+    sourceSecret:
+      name: cd-user-token
+    type: Git
+  strategy:
+    type: Docker
+    dockerStrategy:
+      dockerfilePath: Dockerfile.database
+      from:
+        kind: DockerImage
+        name: {{ .Values.global.sonarDatabaseImage}}
+      forcePull: true
+      noCache: true
+  successfulBuildsHistoryLimit: 5