Plugin installation not working in Helm chart

I’m running SonarQube Developer (8.9.4, build 50575) on an AWS EKS cluster. It is installed using Helm (chart version 1.0.21+170). Referencing the Helm chart documentation I have tried to install the Dependency-Check Plugin for SonarQube 8.x and 9.x.

My values file looks like this:

  tag: 8.9.4-developer


According to the logs of the install-plugins container the JAR file is downloaded correctly into the $SONARQUBE_HOME/extensions/downloads directory:

{"log":"2021-12-16 09:00:49 URL:\u0026X-Amz-Credential=XXXXXXXXX%2F20211216%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20211216T090049Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=ad70886a190c3fa2ade3364079759952e0f82f71f3f142c90be0320b59c58bde\u0026X-Amz-SignedHeaders=host\u0026actor_id=0\u0026key_id=0\u0026repo_id=29143201\u0026response-content-disposition=attachment%3B%20filename%3Dsonar-dependency-check-plugin-2.0.8.jar\u0026response-content-type=application%2Foctet-stream [4187660/4187660] -\u003e \"/opt/sonarqube/extensions/downloads/sonar-dependency-check-plugin-2.0.8.jar\" [1]\n","stream":"stderr","time":"2021-12-16T09:00:49.729664549Z"}

When SonarQube is up and running the list of installed extensions in the marketplace is empty though. I understand that the script downloads the JAR files to /extensions/downloads which is not the place where SonarQube expects the plugins. However this issue mentions that this is in fact correct and SonarQube will move the files from the downloads directory to the plugins directory automatically.

Am I using an incorrect configuration or is this expected behavior with my setup?

1 Like

Hello @mway-niels ,

That is the expected behavior. You are encountering a known bug: SONAR-15678: Risk consent must not block startup. We haven’t set a release date for this yet.

As a workaround (or not, depending on how you see this), you have two choices to make third-party plugin installation work:

EDIT: skip method 1 and do method 2, see my updated response here

  1. Accept the Risk Consent
    1. Start SonarQube without any plugins
    2. Accept the risk consent via UI (Administration > Marketplace) or web API (curl -v -u <INSERT-USER-TOKEN>: -X POST 'https://<INSERT-SQ-URL>/api/settings/set?key=sonar.plugins.risk.consent&value=ACCEPTED') (notice no space between user token and the colon)
    3. Enable the plugin section in values.yaml
    4. Redeploy with modifications
  2. Enable persistence
    1. Set persistence to true in values.yaml, which will create a new PVC, which will hold your 3rd party plugins.
    2. Please review Persistency section in Deploy SonarQube on Kubernetes documentation. There are important implications that will affect your Elasticsearch indices, which can be corrupted after enough k8s deployments.

Let us know which one you choose.

1 Like

Hi @Joe,

thanks for the quick answer! I followed your instructions and documented my results below:

  1. Accept the Risk Consent
    1. Removed the plugins section from my values file & upgraded the Helm release.
    2. Verified that no attempt to install plugins was made (logs didn’t show that the plugin JAR was downloaded, the install-plugins init container wasn’t deployed).
    3. Opened the SonarQube UI (Administration > Marketplace).
    4. There is no “Risk Consent” prompt. (I see the prompt as expected on another SonarQube installation (Community Edition).)
    5. I ran the curl command you suggested. It returned a HTTP 204 response.
  2. Enable persistence
    1. Removed the plugins section from my values file.
    2. Enabled persistence & upgraded the Helm release
    3. Verified that no attempt to install plugins was made (logs didn’t show that the plugin JAR was downloaded, the install-plugins init container wasn’t deployed).
    4. Readded the plugins section & upgraded the Helm release.
    5. The plugins are loaded as expected.

Did workaround #1 (Accept the Risk Consent) not work for me because I’m running the Developer Edition?

I’ll stick to workaround #2 (Enable persistence) for now, even if it means that ES indices could get corrupted.

Thank you for your help! :slight_smile:

1 Like

Hi @Niels,

Thanks for your organized and detailed response! You should have seen a special solo screen for risk consent acceptance when you start up SonarQube again. Developer and higher editions will see a different UX for plugin acceptance, i.e. there is no checkbox on the Marketplace screen.

In any case, workaround #2 is actually the correct method, as explained now in SONAR-15687:

Users who want to use 3rd party plugins are advised to enable persistence, to ensure the continuous existing of their plugins after a pod kill and increase the tolerance for the startup and liveness probes.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.