This role installs SonarQube with extended set of plugins. Playbook example below also uses openJDK, postgreSQL database and nginx web server with enabled https.
See article here: https://lean-delivery.com/2020/02/how-to-add-sonarqube-to-ci-process.html
In addition to default plugins included into SonarQube role could install following recommended plugins:
- checkstyle-sonar-plugin
- sonar-pmd-plugin
- sonar-findbugs-plugin
- mutation-analysis-plugin
- sonar-jdepend-plugin
- sonar-jproperties-plugin
- sonar-groovy-plugin
- sonar-dependency-check-plugin
- sonar-json-plugin
- sonar-yaml-plugin
- sonar-ansible-plugin
- sonar-shellcheck-plugin
Also you may install optional plugins. Be carefull, some of them are not supported in latest SonarQube versions:
- qualinsight-sonarqube-smell-plugin
- qualinsight-sonarqube-badges
- sonar-auth-github-plugin
- sonar-auth-bitbucket-plugin
- sonar-bitbucket-plugin (for Bitbucket Cloud)
- sonar-stash-plugin (for Bitbucket Server)
- sonar-auth-gitlab-plugin
- sonar-gitlab-plugin
- sonar-xanitizer-plugin
- sonar-build-breaker-plugin
- sonar-issueresolver-plugin
- sonarqube-community-branch-plugin
- sonar-aemrules-plugin
See plugin matrix here: https://docs.sonarsource.com/sonarqube/latest/instance-administration/plugin-version-matrix/
This role also provides some configuration options:
- ability to migrate db when updating SonarQube to new version
- ability to set Jenkins webhook
- ability to restore custom profiles
- LDAP configuration
- ability to change password for admin user
See Jenkins pipeline example here: https://raw.githubusercontent.com/lean-delivery/ansible-role-sonarqube/master/files/example_pipeline.groovy
- Supported Ansible versions:
- 5 (2.12) - not covered by tests yet, should work
- 6 (2.13)
- 7 (2.14)
- 8 - 11 - not covered by tests yet, should work
- Supported SonarQube versions:
- 7.9.6 previous LTS
- 8.9.10 previous LTS
- 9.9.8 LTA
- 10.0 - 10.7
- 24.12
- Supported Java:
- 11
- 17 (use for SonarQube 9.9+)
- Supported databases
- PostgreSQL
- MySQL (not recommended)
- embedded H2 (for tests only)
- Supported web servers (reverse proxy for https)
- nginx
- Supported OS:
- CentOS, RHEL
- 7
- Ubuntu
- 18.04
- 20.04 - not covered by tests yet, should work
- 22.04 - not covered by tests yet, should work
- 24.04 - not covered by tests yet, should work
- CentOS, RHEL
Java, database, web server with self-signed certificate should be installed preliminarily. Use following galaxy roles:
- lean_delivery.java
- geerlingguy.postgresql
- jdauphant.ssl-certs
- nginxinc.nginx
sonar_version
- SonarQube versionsonar_path
- installation directory
default: /opt/sonarqubesonar_user
- user for installing SonarQube
default: sonarsonar_group
- group of SonarQube user
default: sonarsonar_nofile
- file descriptors amount that user running SonarQube can open
default: 65536sonar_nproc
- threads amount that user running SonarQube can open
default: 4096sonar_max_map_count
- mmap counts limit required for Elasticsearch
default: 262144sonar_log_level
- Logging level of SonarQube server
default: INFOsonar_java_opts
:web
- additional java options for web part of SonarQube
default: -Xmx512m -Xms128mes
- additional java options for Elasticsearch
default: -Xms512m -Xmx512mce
- additional java options for Compute Engine
default: -Xmx512m -Xms128m
web
:host
- SonarQube binding ip address
default: 0.0.0.0port
- TCP port for incoming HTTP connections
default: 9000path
- web context
default: /
sonar_db
- database settingstype
default : postgresqlport
default : 5432host
default : localhostname
default: sonaruser
default: sonarpassword
default: sonaroptions
default:
sonar_store
- sonarqube artifact provider
default: https://sonarsource.bintray.com/Distribution/sonarqubesonar_check_url
- url for SonarQube startup verification
default: http://{{ web.host }}:{{ web.port }}sonar_download
- is sonarqube.zip download required. Set to false when not possible to download zip and put zip to sonar_download_path manually before playbook run. default: truesonar_download_path
- local download path
default: /tmp/sonar_proxy_type
- web server, nginx is only supported for now
default: nginxsonar_proxy_server_name
- server name in webserver config
default: '{{ ansible_fqdn }}'sonar_proxy_http
- is http connection allowed
default: falsesonar_proxy_http_port
- http port
default: 80sonar_proxy_ssl
- is https connection allowed
default: truesonar_proxy_ssl_port
- https port
default: 443sonar_proxy_ssl_cert_path
- path to certificate
default: '/etc/ssl/{{ sonar_proxy_server_name }}/{{ sonar_proxy_server_name }}.pem'sonar_proxy_ssl_key_path
- path to key
default: '/etc/ssl/{{ sonar_proxy_server_name }}/{{ sonar_proxy_server_name }}.key'sonar_proxy_client_max_body_size
- client max body size setting in web server config
default: 32msonar_install_recommended_plugins
- are recommended plugins required
default: truesonar_recommended_plugins
- list of recommended plugins\sonar_update_default_plugins
- is update required for default plugins
default: truesonar_default_plugins
- list of default plugins\sonar_install_optional_plugins
- are optional plugins required
default: falsesonar_optional_plugins
- list of optional plugins switched off by default. Not all of them are supported in latest SonarQube versions, so select ones you need and override this property.sonar_excluded_plugins
- list of old plugins excluded from SonarQube installersonar_default_excluded_plugins
- list of default plugins you don't need
default: []sonar_web_user
- username for admin user
default: adminsonar_web_password
- password for admin user
default: adminchange_password
- set true to change password
default: falsesonar_web_old_password
- current password (before changing)
default: adminsonar_migrate_db
- is DB migrate required. Set to true when updating existing SonarQube to new version.
default: falsesonar_set_jenkins_webhook
- is jenkins webhook configuration required
default: falsesonar_jenkins_webhook_name
- name of jenkins webhook
default: jenkinssonar_jenkins_webhook_url
- url of jenkins webhook
default: https://jenkins.example.com/sonarqube-webhook/sonar_restore_profiles
- is profile restore required
default: falsesonar_profile_list
- list of profiles to restoresonar_updatecenter_activate
- activate the SonarQube update center default: true
Ldap configuration section. See https://docs.sonarqube.org/latest/instance-administration/delegated-auth/#header-6 to get description
ldap
:
default: undefinedauthenticator_downcase
default: falseurl
default: ldap://myserver.mycompany.combind_dn
default: my_bind_dnbind_password
default: my_bind_passwordauthentication
default: simplerealm
default:contextFactoryClass
default: com.sun.jndi.ldap.LdapCtxFactoryStartTLS
default: falsefollowReferrals
default: trueuser_base_dn
default : ou=Users,dc=mycompany,dc=comuser_request
default: (&(objectClass=inetOrgPerson)(uid={login}))user_real_name_attribute
default: cnuser_email_attribute
default: mailgroup_base_dn
default: ou=Groups,dc=sonarsource,dc=comgroup_request
default: (&(objectClass=posixGroup)(memberUid={uid}))group_idAttribute
default: cn
---
- name: Install SonarQube
hosts: sonarqube
become: true
vars:
# java
java_major_version: 17
transport: repositories
# postgresql
postgresql_users:
- name: sonar
password: sonar
postgresql_databases:
- name: sonar
# ssl-certs
ssl_certs_path_owner: nginx
ssl_certs_path_group: nginx
ssl_certs_common_name: sonarqube.example.com
# sonarqube
sonar_version: 24.12.0.100206
sonar_check_url: 'http://{{ ansible_fqdn }}:9000'
sonar_proxy_server_name: sonarqube.example.com
sonar_install_optional_plugins: true
sonar_optional_plugins:
- 'https://github.com/adnovum/sonar-build-breaker/releases/download/{{ build_breaker_epversion }}'
sonar_default_excluded_plugins:
- '{{ sonar_plugins_path }}/sonar-flex-plugin-2.14.0.5032.jar'
sonar_web_password: your_new_secure_password
change_password: true
sonar_web_old_password: admin
sonar_migrate_db: false # set to true if updating SonarQube to new version
sonar_set_jenkins_webhook: true
sonar_jenkins_webhook_url: https://jenkins.example.com/sonarqube-webhook/
sonar_restore_profiles: true
sonar_profile_list:
- files/example_profile.xml
pre_tasks:
- name: install rpm key
rpm_key:
state: present
key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}
when: ansible_distribution == 'RedHat'
- name: install epel
package:
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm
state: present
when: ansible_distribution == 'RedHat'
# delete previously installed sonar to prevent plugins conflict
- name: delete sonar
file:
path: '{{ sonar_path }}'
state: absent
roles:
- role: lean_delivery.java
- role: geerlingguy.postgresql
- role: nginxinc.nginx
- role: jdauphant.ssl-certs
- role: lean_delivery.sonarqube
tasks:
- name: delete default nginx config
file:
path: /etc/nginx/conf.d/default.conf
state: absent
- name: reload nginx
command: 'nginx -s reload'
Apache
authors:
- Lean Delivery Team team@lean-delivery.com