sonarqube role

This role installs SonarQube with extended set of plugins. Playbook example below also uses openJDK, postgreSQL database and nginx web server with enabled https.

See article here: https://lean-delivery.com/2020/02/how-to-add-sonarqube-to-ci-process.html

In addition to default plugins included into SonarQube role could install following recommended plugins:

• checkstyle-sonar-plugin
• sonar-pmd-plugin
• sonar-findbugs-plugin
• mutation-analysis-plugin
• sonar-jdepend-plugin
• sonar-jproperties-plugin
• sonar-groovy-plugin
• sonar-dependency-check-plugin
• sonar-json-plugin
• sonar-yaml-plugin
• sonar-ansible-plugin
• sonar-shellcheck-plugin

Also you may install optional plugins. Be carefull, some of them are not supported in latest SonarQube versions:

• qualinsight-sonarqube-smell-plugin
• qualinsight-sonarqube-badges
• sonar-auth-github-plugin
• sonar-auth-bitbucket-plugin
• sonar-bitbucket-plugin (for Bitbucket Cloud)
• sonar-stash-plugin (for Bitbucket Server)
• sonar-auth-gitlab-plugin
• sonar-gitlab-plugin
• sonar-xanitizer-plugin
• sonar-build-breaker-plugin
• sonar-issueresolver-plugin
• sonarqube-community-branch-plugin
• sonar-aemrules-plugin

See plugin matrix here: https://docs.sonarsource.com/sonarqube/latest/instance-administration/plugin-version-matrix/

This role also provides some configuration options:

• ability to migrate db when updating SonarQube to new version
• ability to set Jenkins webhook
• ability to restore custom profiles
• LDAP configuration
• ability to change password for admin user

See Jenkins pipeline example here: https://raw.githubusercontent.com/lean-delivery/ansible-role-sonarqube/master/files/example_pipeline.groovy

Requirements

• Supported Ansible versions:
  • 5 (2.12) - not covered by tests yet, should work
  • 6 (2.13)
  • 7 (2.14)
• Supported SonarQube versions:
  • 7.9.6 previous LTS
  • 8.9.10 previous LTS
  • 9.9.5 LTS
  • 10.0 - 10.5.1
• Supported Java:
  • 11
  • 17 (use for SonarQube 9.9+)
• Supported databases
  • PostgreSQL
  • MySQL (not recommended)
  • embedded H2 (for tests only)
• Supported web servers (reverse proxy for https)
  • nginx
• Supported OS:
  • CentOS, RHEL
    • 7
  • Ubuntu
    • 18.04
    • 20.04 - not covered by tests yet, should work
    • 22.04 - not covered by tests yet, should work

Java, database, web server with self-signed certificate should be installed preliminarily. Use following galaxy roles:

• lean_delivery.java
• geerlingguy.postgresql
• jdauphant.ssl-certs
• nginxinc.nginx

Role Variables

• sonar_version - SonarQube version
• sonar_path - installation directory
  default: /opt/sonarqube
• sonar_user - user for installing SonarQube
  default: sonar
• sonar_group - group of SonarQube user
  default: sonar
• sonar_nofile - file descriptors amount that user running SonarQube can open
  default: 65536
• sonar_nproc - threads amount that user running SonarQube can open
  default: 4096
• sonar_max_map_count - mmap counts limit required for Elasticsearch
  default: 262144
• sonar_log_level - Logging level of SonarQube server
  default: INFO
• sonar_java_opts:
  • web - additional java options for web part of SonarQube
    default: -Xmx512m -Xms128m
  • es - additional java options for Elasticsearch
    default: -Xms512m -Xmx512m
  • ce - additional java options for Compute Engine
    default: -Xmx512m -Xms128m
• web:
  • host - SonarQube binding ip address
    default: 0.0.0.0
  • port - TCP port for incoming HTTP connections
    default: 9000
  • path - web context
    default: /
• sonar_db - database settings
  • type
    default : postgresql
  • port
    default : 5432
  • host
    default : localhost
  • name
    default: sonar
  • user
    default: sonar
  • password
    default: sonar
  • options
    default:
• sonar_store - sonarqube artifact provider
  default: https://sonarsource.bintray.com/Distribution/sonarqube
• sonar_check_url - url for SonarQube startup verification
  default: http://{{ web.host }}:{{ web.port }}
• sonar_download - is sonarqube.zip download required. Set to false when not possible to download zip and put zip to sonar_download_path manually before playbook run. default: true
• sonar_download_path - local download path
  default: /tmp/
• sonar_proxy_type - web server, nginx is only supported for now
  default: nginx
• sonar_proxy_server_name - server name in webserver config
  default: '{{ ansible_fqdn }}'
• sonar_proxy_http - is http connection allowed
  default: false
• sonar_proxy_http_port - http port
  default: 80
• sonar_proxy_ssl - is https connection allowed
  default: true
• sonar_proxy_ssl_port - https port
  default: 443
• sonar_proxy_ssl_cert_path - path to certificate
  default: '/etc/ssl/{{ sonar_proxy_server_name }}/{{ sonar_proxy_server_name }}.pem'
• sonar_proxy_ssl_key_path - path to key
  default: '/etc/ssl/{{ sonar_proxy_server_name }}/{{ sonar_proxy_server_name }}.key'
• sonar_proxy_client_max_body_size - client max body size setting in web server config
  default: 32m
• sonar_install_recommended_plugins - are recommended plugins required
  default: true
• sonar_recommended_plugins - list of recommended plugins\
• sonar_update_default_plugins - is update required for default plugins
  default: true
• sonar_default_plugins - list of default plugins\
• sonar_install_optional_plugins - are optional plugins required
  default: false
• sonar_optional_plugins - list of optional plugins switched off by default. Not all of them are supported in latest SonarQube versions, so select ones you need and override this property.
• sonar_excluded_plugins - list of old plugins excluded from SonarQube installer
• sonar_default_excluded_plugins - list of default plugins you don't need
  default: []
• sonar_web_user - username for admin user
  default: admin
• sonar_web_password - password for admin user
  default: admin
• change_password - set true to change password
  default: false
• sonar_web_old_password - current password (before changing)
  default: admin
• sonar_migrate_db - is DB migrate required. Set to true when updating existing SonarQube to new version.
  default: false
• sonar_set_jenkins_webhook - is jenkins webhook configuration required
  default: false
• sonar_jenkins_webhook_name - name of jenkins webhook
  default: jenkins
• sonar_jenkins_webhook_url - url of jenkins webhook
  default: https://jenkins.example.com/sonarqube-webhook/
• sonar_restore_profiles - is profile restore required
  default: false
• sonar_profile_list - list of profiles to restore
• sonar_updatecenter_activate - activate the SonarQube update center default: true

Ldap configuration section. See https://docs.sonarqube.org/latest/instance-administration/delegated-auth/#header-6 to get description

• ldap:
  default: undefined
  • authenticator_downcase
    default: false
  • url
    default: ldap://myserver.mycompany.com
  • bind_dn
    default: my_bind_dn
  • bind_password
    default: my_bind_password
  • authentication
    default: simple
  • realm
    default:
  • contextFactoryClass
    default: com.sun.jndi.ldap.LdapCtxFactory
  • StartTLS
    default: false
  • followReferrals
    default: true
  • user_base_dn
    default : ou=Users,dc=mycompany,dc=com
  • user_request
    default: (&(objectClass=inetOrgPerson)(uid={login}))
  • user_real_name_attribute
    default: cn
  • user_email_attribute
    default: mail
  • group_base_dn
    default: ou=Groups,dc=sonarsource,dc=com
  • group_request
    default: (&(objectClass=posixGroup)(memberUid={uid}))
  • group_idAttribute
    default: cn

Example Playbook

---
- name: Install SonarQube
  hosts: sonarqube
  become: true
  vars:
    # java
    java_major_version: 17
    transport: repositories
    # postgresql
    postgresql_users:
      - name: sonar
        password: sonar
    postgresql_databases:
      - name: sonar
    # ssl-certs
    ssl_certs_path_owner: nginx
    ssl_certs_path_group: nginx
    ssl_certs_common_name: sonarqube.example.com
    # sonarqube
    sonar_version: 10.5.1.88267
    sonar_check_url: 'http://{{ ansible_fqdn }}:9000'
    sonar_proxy_server_name: sonarqube.example.com
    sonar_install_optional_plugins: true
    sonar_optional_plugins: 
      - 'https://github.com/adnovum/sonar-build-breaker/releases/download/{{ build_breaker_epversion }}'
    sonar_default_excluded_plugins:
      - '{{ sonar_plugins_path }}/sonar-flex-plugin-2.12.0.4568.jar'
    sonar_web_password: your_new_secure_password
    change_password: true
    sonar_web_old_password: admin
    sonar_migrate_db: false  # set to true if updating SonarQube to new version 
    sonar_set_jenkins_webhook: true
    sonar_jenkins_webhook_url: https://jenkins.example.com/sonarqube-webhook/
    sonar_restore_profiles: true
    sonar_profile_list:
      - files/example_profile.xml
  pre_tasks:
    - name: install rpm key
      rpm_key:
        state: present
        key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}
      when: ansible_distribution == 'RedHat'
    - name: install epel
      package:
        name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm
        state: present
      when: ansible_distribution == 'RedHat'
    # delete previously installed sonar to prevent plugins conflict
    - name: delete sonar
      file:
        path: '{{ sonar_path }}'
        state: absent
  roles:
    - role: lean_delivery.java
    - role: geerlingguy.postgresql
    - role: nginxinc.nginx
    - role: jdauphant.ssl-certs
    - role: lean_delivery.sonarqube
  tasks:
    - name: delete default nginx config
      file:
        path: /etc/nginx/conf.d/default.conf
        state: absent
    - name: reload nginx
      command: 'nginx -s reload'

License

Apache

Author Information

authors:

• Lean Delivery Team team@lean-delivery.com