Code quality scanning using SonarQube

We use SonarQube in our CI/CD pipelines, don't you?

Setup

For the purpose of this blog post we'll be using a Google Kubernetes Engine cluster with external-dns configured to manage our Google Cloud DNS records
and cert-manager deployed and configured for issueing ACME certificates to secure our ingress-nginx objects.

We're going to deploy Keycloak charts for interfacing with our Identity Provider then deploy the SonarQube charts and configure SAML with our keycloak deployment.

Keycloak

Time to get our hands dirty, starting off with the keycloak deployment:

kubectl create namespace keycloak

kubectl create secret generic keycloak-postgresql \
    --from-literal=postgresql-password=$(openssl rand -base64 32) \
    --from-literal=postgresql-replication-password=$(openssl rand -base64 32)

helm install --namespace keycloak keycloak \
    --set keycloak.ingress.enabled=true \
    --set keycloak.ingress.annotations."kubernetes\.io/ingress\.class"=nginx \
    --set keycloak.ingress.annotations."cert-manager\.io/cluster-issuer"= letsencrypt-prod
    --set keycloak.ingress.hosts[0]=keycloak.k8s.yields.io \
    --set keycloak.ingress.tls[0].hosts[0]=keycloak.k8s.yields.io \
    --set keycloak.ingress.tls[0].secretName=tls-keycloak \
    --set keycloak.persistence.dbVendor=postgres \
    --set keycloak.persistence.deployPostgres=true \
    --set postgresql.postgresqlUser=keycloak \
    --set postgresql.existingSecret=keycloak-postgresql \
    --set postgresql.postgresqlDatabase=keycloak \
    --set postgresql.persistence.enabled=true \
    --set postgresql.replication.enabled=true \
    --set postgresql.replication.slaveReplicas=2 \
    --set postgresql.replication.synchronousCommit="on" \
    --set postgresql.replication.numSynchronousReplicas=1 \
    --set postgresql.metrics.enabled=true \
    codecentric/keycloak

SonarQube

kubectl create namespace sonarqube

kubectl create secret generic -n sonarqube sonarqube-postgresql \
    --from-literal=postgresql-password=$(openssl rand -base64 32) \
    --from-literal=postgresql-replication-password=$(openssl rand -base64 32)

helm install sonarqube -n sonarqube \
    --set ingress.enabled=true \
    --set keycloak.ingress.annotations."kubernetes\.io/ingress\.class"=nginx \
    --set ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-prod \
    --set ingress.annotations."nginx\.ingress\.kubernetes\.io/proxy-body-size"="0" \
    --set ingress.annotations."nginx\.ingress\.kubernetes\.io/proxy-max-temp-file-size"="0" \
    --set ingress.hosts[0].name=sonarqube.k8s.yields.io \
    --set ingress.hosts[0].path=/ \
    --set ingress.tls[0].secretName=tls-sonarqube \
    --set ingress.tls[0].hosts[0]=sonarqube.k8s.yields.io \
    --set persistence.enabled=true \
    --set postgresql.postgresqlUsername=sonarqube \
    --set postgresql.existingSecret=sonarqube-postgresql \
    --set postgresql.postgresqlDatabase=sonarqube \
    --set postgresql.replication.enabled=true \
    --set postgresql.replication.slaveReplicas=2 \
    --set postgresql.replication.synchronousCommit="on" \
    --set postgresql.replication.numSynchronousReplicas=1 \
    --set postgresql.metrics.enabled=true \
    --set sonarProperties."sonar\.log\.level"=INFO \
    oteemocharts/sonarqube

...
Keycloak configuration
Keycloak Google IDP configuration
SonarQube SAML configuration
SonarQube python project configuration with tox and coverage
Relax..