- Installed SonarQube 9.9 LTS App version with embedded postgres Pod in Kubernetes.
- using Helm chart 8.0.1+546 (Sonarsource Chart Repository)
- When trying to Login to sonarqube UI, and give admin/admin, it says authentication failed.
- tried updating the password to admin in DB using update users set crypted_password = ‘88c991e39bb88b94178123a849606905ebf440f5’, salt=‘6522f3c5007ae910ad690bb1bdbf264a34884c6d’ where login = ‘admin’;
Tried uncommenting custompassword and adminpassword in helm chart under account section.
– No log at all in sonar.log or access.log
– Red banner is displayed in UI “Authentication failed”
– I even tried installing other versions, but saw same issue.
Is there a different default password ?
Could it be a postgresql issue?
Should I uncomment “account” section in values.yaml ?
– Log for sonarqube Pod
2023.06.14 04:59:28 INFO app[o.s.a.SchedulerImpl] Process[ce] is up
2023.06.14 04:59:28 INFO app[o.s.a.SchedulerImpl] SonarQube is operational
– Log for postgresql pod
2023-06-14 04:57:14.039 GMT [1] LOG: database system is ready to accept connections
Edit : Tried this too but no luck.
update users set crypted_password=‘100000$t2h8AtNs1AlCHuLobDjHQTn9XppwTIx88UjqUm4s8RsfTuXQHSd/fpFexAnewwPsO6jGFQUv/24DnO55hY6Xew==’, salt=‘k9x9eN127/3e/hf38iNiKwVfaVk=’, hash_method=‘PBKDF2’, reset_password=‘true’, user_local=‘true’ where login=‘admin’;
values.yaml :
…
# Default values for sonarqube.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# If the deployment Type is set to Deployment sonarqube is deployed as a replica set.
deploymentType: "StatefulSet"
# There should not be more than 1 sonarqube instance connected to the same database. Please set this value to 1 or 0 (in case you need to scale down programmatically).
replicaCount: 1
# This will use the default deployment strategy unless it is overriden
deploymentStrategy: {}
# Uncomment this to scheduler pods on priority
# priorityClassName: "high-priority"
## Use an alternate scheduler, e.g. "stork".
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
# schedulerName:
## Is this deployment for OpenShift? If so, we help with SCCs
OpenShift:
enabled: false
createSCC: true
edition: "community"
image:
repository: sonarqube
tag: 9.9.1-{{ .Values.edition }}
pullPolicy: IfNotPresent
# If using a private repository, the imagePullSecrets to use
# pullSecrets:
# - name: my-repo-secret
# Set security context for sonarqube pod
securityContext:
fsGroup: 1000
# Set security context for sonarqube container
containerSecurityContext:
# Sonarqube dockerfile creates sonarqube user as UID and GID 1000
runAsUser: 1000
# Settings to configure elasticsearch host requirements
elasticsearch:
# DEPRECATED: Use initSysctl.enabled instead
configureNode: true
bootstrapChecks: true
service:
type: ClusterIP
externalPort: 9000
internalPort: 9000
labels:
annotations: {}
# May be used in example for internal load balancing in GCP:
# cloud.google.com/load-balancer-type: Internal
# loadBalancerSourceRanges:
# - 0.0.0.0/0
#loadBalancerIP: 35.231.66.229
# Optionally create Network Policies
networkPolicy:
enabled: false
# If you plan on using the jmx exporter, you need to define where the traffic is coming from
prometheusNamespace: "monitoring"
# If you are using a external database and enable network Policies to be created
# you will need to explicitly allow egress traffic to your database
# expects https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicyspec-v1-networking-k8s-io
# additionalNetworkPolicys:
# also install the nginx ingress helm chart
nginx:
enabled: false
ingress:
enabled: true
# Used to create an Ingress record.
hosts:
- name: sonarqube.leapmetrics.io
# Different clouds or configurations might need /* as the default path
path: /
# For additional control over serviceName and servicePort
# serviceName: someService
# servicePort: somePort
# the pathType can be one of the following values: Exact|Prefix|ImplementationSpecific(default)
pathType: ImplementationSpecific
annotations:
# kubernetes.io/tls-acme: "true"
# This property allows for reports up to a certain size to be uploaded to SonarQube
nginx.ingress.kubernetes.io/proxy-body-size: "64m"
# Set the ingressClassName on the ingress record
#ingressClassName: nginx
kubernetes.io/ingress.class: nginx
# Additional labels for Ingress manifest file
# labels:
# traffic-type: external
# traffic-type: internal
tls: []
# Secrets must be manually created in the namespace. To generate a self-signed certificate (and private key) and then create the secret in the cluster please refer to official documentation available at https://kubernetes.github.io/ingress-nginx/user-guide/tls/#tls-secrets
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
route:
enabled: false
host: ""
# Add tls section to secure traffic. TODO: extend this section with other secure route settings
# Comment this out if you want plain http route created.
tls:
termination: edge
annotations: {}
# See Openshift/OKD route annotation
# https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
# haproxy.router.openshift.io/timeout: 1m
# Additional labels for Route manifest file
# labels:
# external: 'true'
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
# taint a node with the following command to mark it as not schedulable for new pods
# kubectl taint nodes <node> sonarqube=true:NoSchedule
# The following statement will tolerate this taint and as such reverse a node for sonarqube
tolerations: []
# - key: "sonarqube"
# operator: "Equal"
# value: "true"
# effect: "NoSchedule"
# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
# add a label to a node with the following command
# kubectl label node <node> sonarqube=true
nodeSelector: {}
# sonarqube: "true"
# hostAliases allows the modification of the hosts file inside a container
hostAliases: []
# - ip: "192.168.1.10"
# hostnames:
# - "example.com"
# - "www.example.com"
readinessProbe:
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 6
# If an ingress *path* other than the root (/) is defined, it should be reflected here
# A trailing "/" must be included
sonarWebContext: /
# sonarWebContext: /sonarqube/
livenessProbe:
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 6
# If an ingress *path* other than the root (/) is defined, it should be reflected here
# A trailing "/" must be included
sonarWebContext: /
# sonarWebContext: /sonarqube/
# If an ingress *path* is defined, it should be reflected here
# sonar.web.context: /sonarqube
startupProbe:
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 24
# If an ingress *path* other than the root (/) is defined, it should be reflected here
# A trailing "/" must be included
sonarWebContext: /
# sonarWebContext: /sonarqube/
initContainers:
# image: busybox:1.32
# We allow the init containers to have a separate security context declaration because
# the initContainer may not require the same as SonarQube.
# securityContext: {}
# We allow the init containers to have a separate resources declaration because
# the initContainer does not take as much resources.
resources: {}
# Extra init containers to e.g. download required artifacts
extraInitContainers: {}
## Array of extra containers to run alongside the sonarqube container
##
## Example:
## - name: myapp-container
## image: busybox
## command: ['sh', '-c', 'echo Hello && sleep 3600']
##
extraContainers: []
## Provide a secret containing one or more certificate files in the keys that will be added to cacerts
## The cacerts file will be set via SONARQUBE_WEB_JVM_OPTS and SONAR_CE_JAVAOPTS
##
caCerts:
enabled: false
image: adoptopenjdk/openjdk11:alpine
secret: your-secret
initSysctl:
enabled: true
vmMaxMapCount: 524288
fsFileMax: 131072
nofile: 131072
nproc: 8192
# image: busybox:1.32
securityContext:
privileged: true
# resources: {}
initFs:
enabled: true
# image: busybox:1.32
securityContext:
privileged: true
prometheusExporter:
enabled: true
# jmx_prometheus_javaagent version to download from Maven Central
version: "0.16.0"
# Alternative full download URL for the jmx_prometheus_javaagent.jar (overrides prometheusExporter.version)
# downloadURL: ""
# if you need to ignore TLS certificates for whatever reason enable the following flag
noCheckCertificate: false
# Ports for the jmx prometheus agent to export metrics at
webBeanPort: 8000
ceBeanPort: 8001
config:
rules:
- pattern: ".*"
# Overrides config for the CE process Prometheus exporter (by default, the same rules are used for both the Web and CE processes).
# ceConfig:
# rules:
# - pattern: ".*"
# image: curlimages/curl:7.76.1
# For use behind a corporate proxy when downloading prometheus
# httpProxy: ""
# httpsProxy: ""
# noProxy: ""
# Setting the security context to the default sonarqube user 1000/1000
securityContext:
runAsUser: 1000
runAsGroup: 1000
# List of plugins to install.
# For example:
# plugins:
# install:
# - "https://github.com/AmadeusITGroup/sonar-stash/releases/download/1.3.0/sonar-stash-plugin-1.3.0.jar"
# - "https://github.com/SonarSource/sonar-ldap/releases/download/2.2-RC3/sonar-ldap-plugin-2.2.0.601.jar"
#
plugins:
install: []
# For use behind a corporate proxy when downloading plugins
# httpProxy: ""
# httpsProxy: ""
# noProxy: ""
# image: curlimages/curl:7.76.1
# resources: {}
# .netrc secret file with a key "netrc" to use basic auth while downloading plugins
# netrcCreds: ""
# Set to true to not validate the server's certificate to download plugin
noCheckCertificate: false
securityContext:
runAsUser: 1000
runAsGroup: 1000
## Values to add to SONARQUBE_WEB_JVM_OPTS
##
# jvmOpts: "-Djava.net.preferIPv4Stack=true"
jvmOpts: ""
## Values to add to SONAR_CE_JAVAOPTS
jvmCeOpts: ""
## a monitoring passcode needs to be defined in order to get reasonable probe results
# not setting the monitoring passcode will result in a deployment that will never be ready
monitoringPasscode: "define_it"
# Alternatively, you can define the passcode loading it from an existing secret specifying the right key
# monitoringPasscodeSecretName: "pass-secret-name"
# monitoringPasscodeSecretKey: "pass-key"
## Environment variables to attach to the pods
##
# env:
# # If you use a different ingress path from /, you have to add it here as the value of SONAR_WEB_CONTEXT
# - name: SONAR_WEB_CONTEXT
# value: /sonarqube
# - name: VARIABLE
# value: my-value
# Set annotations for pods
annotations: {}
## We usually don't make specific ressource recommandations, as they are heavily dependend on
## The usage of SonarQube and the surrounding infrastructure.
## Adjust these values to your needs, but make sure that the memory limit is never under 4 GB
resources:
limits:
cpu: 800m
memory: 4Gi
requests:
cpu: 400m
memory: 2Gi
persistence:
enabled: false
## Set annotations on pvc
annotations: {}
## Specify an existing volume claim instead of creating a new one.
## When using this option all following options like storageClass, accessMode and size are ignored.
# existingClaim:
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass:
accessMode: ReadWriteOnce
size: 5Gi
uid: 1000
## Specify extra volumes. Refer to ".spec.volumes" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/
volumes: []
## Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/
mounts: []
# In case you want to specify different resources for emptyDir than {}
emptyDir: {}
# Example of resouces that might be used:
# medium: Memory
# sizeLimit: 16Mi
# A custom sonar.properties file can be provided via dictionary.
# For example:
# sonarProperties:
# sonar.forceAuthentication: true
# sonar.security.realm: LDAP
# ldap.url: ldaps://organization.com
# Additional sonar properties to load from a secret with a key "secret.properties" (must be a string)
# sonarSecretProperties:
# Kubernetes secret that contains the encryption key for the sonarqube instance.
# The secret must contain the key 'sonar-secret.txt'.
# The 'sonar.secretKeyPath' property will be set automatically.
# sonarSecretKey: "settings-encryption-secret"
## Override JDBC values
## for external Databases
jdbcOverwrite:
# If enable the JDBC Overwrite, make sure to set `postgresql.enabled=false`
enable: false
# The JDBC url of the external DB
jdbcUrl: "jdbc:mysql://10:3306/leap_demo_sonarqube?socketTimeout=1500"
# The DB user that should be used for the JDBC connection
jdbcUsername: "leap_demo_sonarqube_user"
# Use this if you don't mind the DB password getting stored in plain text within the values file
jdbcPassword: "xcffu3E"
## Alternatively, use a pre-existing k8s secret containing the DB password
# jdbcSecretName: "sonarqube-jdbc"
## and the secretValueKey of the password found within that secret
# jdbcSecretPasswordKey: "jdbc-password"
## Configuration values for postgresql dependency
## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
postgresql:
# Enable to deploy the bitnami PostgreSQL chart
enabled: true
## postgresql Chart global settings
# global:
# imageRegistry: ''
# imagePullSecrets: ''
## bitnami/postgres image tag
# image:
# tag: 11.7.0-debian-10-r9
# existingSecret Name of existing secret to use for PostgreSQL passwords
# The secret has to contain the keys postgresql-password which is the password for postgresqlUsername when it is
# different of postgres, postgresql-postgres-password which will override postgresqlPassword,
# postgresql-replication-password which will override replication.password and postgresql-ldap-password which will be
# used to authenticate on LDAP. The value is evaluated as a template.
# existingSecret: ""
#
# The bitnami chart enforces the key to be "postgresql-password". This value is only here for historic purposes
# existingSecretPasswordKey: "postgresql-password"
postgresqlUsername: "sonarUser"
postgresqlPassword: "sonarPass"
postgresqlDatabase: "sssonarDB"
# Specify the TCP port that PostgreSQL should use
service:
port: 5432
resources:
limits:
cpu: 2
memory: 2Gi
requests:
cpu: 100m
memory: 200Mi
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 20Gi
storageClass:
securityContext:
# For standard Kubernetes deployment, set enabled=true
# If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC
enabled: true
# fsGroup specification below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully.
# postgresql dockerfile sets user as 1001
fsGroup: 1001
containerSecurityContext:
# For standard Kubernetes deployment, set enabled=true
# If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC
enabled: true
# runAsUser specification below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully.
# postgresql dockerfile sets user as 1001
runAsUser: 1001
volumePermissions:
# For standard Kubernetes deployment, set enabled=false
# For OpenShift, set enabled=true and ensure to set volumepermissions.securitycontext.runAsUser below.
enabled: false
# if using restricted SCC set runAsUser: "auto" and if running under anyuid/nonroot SCC - runAsUser needs to match runAsUser above
securityContext:
runAsUser: 0
shmVolume:
chmod:
enabled: false
serviceAccount:
## If enabled = true, and name is not set, postgreSQL will create a serviceAccount
enabled: false
# name:
# Additional labels to add to the pods:
# podLabels:
# key: value
podLabels: {}
# For compatibility with 8.0 replace by "/opt/sq"
# For compatibility with 8.2, leave the default. They changed it back to /opt/sonarqube
sonarqubeFolder: /opt/sonarqube
tests:
image: bitnami/minideb-extras
enabled: true
resources: {}
initContainers:
image: bats/bats:1.2.1
resources: {}
# For OpenShift set create=true to ensure service account is created.
serviceAccount:
create: false
# name:
# automountToken: false # default
## Annotations for the Service Account
annotations: {}
# extraConfig is used to load Environment Variables from Secrets and ConfigMaps
# which may have been written by other tools, such as external orchestrators.
#
# These Secrets/ConfigMaps are expected to contain Key/Value pairs, such as:
#
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: external-sonarqube-opts
# data:
# SONARQUBE_JDBC_USERNAME: foo
# SONARQUBE_JDBC_URL: jdbc:postgresql://db.example.com:5432/sonar
#
# These vars can then be injected into the environment by uncommenting the following:
#
# extraConfig:
# configmaps:
# - external-sonarqube-opts
extraConfig:
secrets: []
configmaps: []
account:
# The values can be set to define the current and the (new) custom admin passwords at the startup (the username will remain "admin")
adminPassword: Leap@admin
currentAdminPassword: admin
# The above values can be also provided by a secret that contains "password" and "currentPassword" as keys. You can generate such a secret in your cluster
# using "kubectl create secret generic admin-password-secret-name --from-literal=password=admin --from-literal=currentPassword=admin"
# adminPasswordSecretName: ""
# securityContext: {}
# resources:
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# curlContainerImage: curlimages/curl:latest
# adminJobAnnotations: {}
# sonarWebContext: /
terminationGracePeriodSeconds: 60