I’m running SonarQube Developer (8.9.4, build 50575) on an AWS EKS cluster. It is installed using Helm (chart version 1.0.21+170). Referencing the Helm chart documentation I have tried to install the Dependency-Check Plugin for SonarQube 8.x and 9.x.
When SonarQube is up and running the list of installed extensions in the marketplace is empty though. I understand that the install-plugins.shscript downloads the JAR files to /extensions/downloads which is not the place where SonarQube expects the plugins. However this issue mentions that this is in fact correct and SonarQube will move the files from the downloads directory to the plugins directory automatically.
Am I using an incorrect configuration or is this expected behavior with my setup?
As a workaround (or not, depending on how you see this), you have two choices to make third-party plugin installation work:
EDIT: skip method 1 and do method 2, see my updated response here
Accept the Risk Consent 1. Start SonarQube without any plugins 2. Accept the risk consent via UI (Administration > Marketplace) or web API (curl -v -u <INSERT-USER-TOKEN>: -X POST 'https://<INSERT-SQ-URL>/api/settings/set?key=sonar.plugins.risk.consent&value=ACCEPTED') (notice no space between user token and the colon) 3. Enable the plugin section in values.yaml 4. Redeploy with modifications
Enable persistence
Set persistence to true in values.yaml, which will create a new PVC, which will hold your 3rd party plugins.
Please review Persistency section in Deploy SonarQube on Kubernetes documentation. There are important implications that will affect your Elasticsearch indices, which can be corrupted after enough k8s deployments.
thanks for the quick answer! I followed your instructions and documented my results below:
Accept the Risk Consent
Removed the plugins section from my values file & upgraded the Helm release.
Verified that no attempt to install plugins was made (logs didn’t show that the plugin JAR was downloaded, the install-plugins init container wasn’t deployed).
Opened the SonarQube UI (Administration > Marketplace).
There is no “Risk Consent” prompt. (I see the prompt as expected on another SonarQube installation (Community Edition).)
I ran the curl command you suggested. It returned a HTTP 204 response.
Enable persistence
Removed the plugins section from my values file.
Enabled persistence & upgraded the Helm release
Verified that no attempt to install plugins was made (logs didn’t show that the plugin JAR was downloaded, the install-plugins init container wasn’t deployed).
Readded the plugins section & upgraded the Helm release.
The plugins are loaded as expected.
Did workaround #1 (Accept the Risk Consent) not work for me because I’m running the Developer Edition?
I’ll stick to workaround #2 (Enable persistence) for now, even if it means that ES indices could get corrupted.
Thanks for your organized and detailed response! You should have seen a special solo screen for risk consent acceptance when you start up SonarQube again. Developer and higher editions will see a different UX for plugin acceptance, i.e. there is no checkbox on the Marketplace screen.
In any case, workaround #2 is actually the correct method, as explained now in SONAR-15687:
Users who want to use 3rd party plugins are advised to enable persistence, to ensure the continuous existing of their plugins after a pod kill and increase the tolerance for the startup and liveness probes.