Configuring SonarQube to authenticate to an external PostgreSQL database using Microsoft Entra

My organisation is currently running v8.9.4 (Enterprise edition/license) of SonarQube, hosted on an Azure-managed (AKS) Kubernetes cluster. I presume the container image being used relates to this DockerHub entry.

The application is deployed using the following helm chart version (versions of the chart are no longer being maintained)…

9361222@C02YH0ZLJGH6 ~ % date ; helm repo add oteemocharts
Fri 10 Nov 2023 16:27:27 GMT
"oteemocharts" has been added to your repositories
9361222@C02YH0ZLJGH6 ~ % helm repo update oteemocharts
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "oteemocharts" chart repository
Update Complete. ⎈Happy Helming!⎈
9361222@C02YH0ZLJGH6 ~ % date ; helm search repo oteemocharts
Fri 10 Nov 2023 16:28:53 GMT
oteemocharts/che           	0.1.5        	7.3.1          	A Helm chart for deploying Eclipse Che to Kuber...
oteemocharts/nexusiq       	1.0.5        	1.63.0         	A Helm chart for Nexus IQ
oteemocharts/sonarqube     	9.11.0       	8.9.7-community	SonarQube is an open sourced code quality scann...
oteemocharts/sonatype-nexus	5.5.0        	3.38.1         	Sonatype Nexus is an open source repository man...
9361222@C02YH0ZLJGH6 ~ % date ; helm pull oteemocharts/sonarqube --version 9.2.4
Fri 10 Nov 2023 16:29:25 GMT
9361222@C02YH0ZLJGH6 ~ % date ; ls -ltr *.tgz |tail -1
Fri 10 Nov 2023 16:29:58 GMT
-rw-r--r--  1 9361222  staff  47769 10 Nov 16:29 sonarqube-9.2.4.tgz
9361222@C02YH0ZLJGH6 ~ %

… and the chart’s values are currently configured to connect to an external Azure-managed PostgreSQL server (the legacy single server resource type) and to do so using standard username/password authentication (supplied as helm chart values)

My organisation’s security policies require Entra authentication when provisioning PostgreSQL flexible servers, so I’m looking to understand whether or not the SonarQube application can be configured to support this authentication method.

My understanding of the SonarQube application - based on my crude interpretation of its source code and various bits-and-pieces I’ve read - is that it uses the HikariCP connection manager/pooler to implement database connectivity.

I haven’t spent a great deal of time digging into that code but it looks like an additional dependency would be required to support this type of authentication

I’ve managed to prove that SonarQube can connect to an external Azure PostgreSQL flexible server using password-based authentication, and I could probably take an extra step by configuring Kubernetes resources so that an Entra token is used instead of a password, however that token would have an expiry date, so I’m assuming that any new connection attempts using it after that expiry (invoked by HikariCP) would fail.


Welcome to the community!

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.9.4 → 9.9.2 → 10.2.1 (last step optional)

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.

Regarding your question, presumably yes: connection attempts with an expired token would fail. Although to be clear, that’s not on the SonarQube side.