Version: Self hosted Sonarqube developer edition 10.6
How is SonarQube deployed: zip
What are you trying to achieve: install our own intermediate and root certificates in the container so the Sonar scanner can communicate with our local Sonarqube instance
What have you tried so far to achieve this: regular commands and routines but they all require sudo or root
We use Gitlab on premise CI/CD with a Docker executor in combination with Sonarqube. To scan “Other (JS, TS, Go, Python, PHP)” Sonarqube needs image “sonarsource/sonar-scanner-cli:latest” This image is build on Amazon Linux and doesn’t contain the sudo program and the used user in the image doesn’t have root permissions. Further more, because we use a Gitlab Docker executor we have no easy control over the spawned Docker container running the image (let alone that it is not safe to run as root).
To install CA certificates in an Amazon Linux image I need to:
- copy them into: /etc/pki/ca-trust/source/anchors/
- update-ca-trust
Which is normally a trivial task to implement in the pipeline but in this image I can’t because I have no sudo or root permissions.
To install certificates into Java I need to:
- keytool -importcert -file -alias ca -storepass changeit -trustcacerts -cacerts -noprompt
Which is normally a trivial task to implement in the pipeline but in this image I can’t because I have no sudo or root permissions.
I have read Managing TLS certificates on the client side and whilst I managed to mount a folder inside the container with the truststore.p12 file, whilst also defining the accompanied parameters in a sonar-project.properties file, I still can’t communicate with my local Sonarqube instance, probably due to the inability to run keytool and Java still missing the certificates.
My question: how do I install my own CA certificates into the container used by sonarsource/sonar-scanner-cli:latest? Or is there no other way than to build our own image based on sonarsource/sonar-scanner-cli:latest? I would like to avoid the latter because that introduces extra work everytime there’s a new version of the image.
Sidenote: I’m fairly new to Sonarqube and I managed to get the certificates into other pipelines and projects but this Amazon Linux image is problematic and in general I would say that like 90% of the work involved in integrating Sonarqube into an existing pipeline/project, is battleling to get our own CA certificates working in combination with Sonarqube.
edit: for now I solved this by creating our own image based on sonarsource/sonar-scanner-cli:latest but this solution isn’t ideal so if anyone knows a way to add own CA certificates to the default image, please let me know. Also, some images require certificates to also be added to the Java cert store but in this image only adding them to Amazon Linux OS was enough (copy them into: /etc/pki/ca-trust/source/anchors/ and update-ca-trust)