Sonarqube with alb ingress controller gives 504 time out error

I have deployed sonarqube helmchart in eks helm-chart-sonarqube/charts/sonarqube at master · SonarSource/helm-chart-sonarqube · GitHub. So in order to access the sonarqube from outside eks cluster, I’m using alb ingress controller instead on nginx ingress controller. I don’t understand where does it break. When I call my host, for example “myhost.com”, I get 504 time out. Even though the app is running fine inside the pod, I tested it. I don’t understand why isn’t it forwarding the traffic to server.

My ingress file example

kind: Ingress
metadata:
  name: app-k8s-sonarqube-sonarqube-internal
  annotations:
    # annotations: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/guide/ingress/annotations/
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/group.name: {{ .Values.sonarqube.ingress.groupname }}
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
spec:
  rules:
  - host: {{ .Values.sonarqube.ingress.host_public }}
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: app-k8s-sonarqube-sonarqube
            port:
              number: 9000 ```

Hi @Muneeza_Qureshi and welcome to the community :wave:

can you share a little more about the infrastructure? are network policies active and maybe also share the generated service yaml?

you can use the nginx-ingress controller on EKS and only use a ELB to achieve this. i usually recommend this as you can configure a increased body size on nginx as well as TLS certificates with more that 2048-RSA, but of cause this choice is up to you

Hi @Tobias_Trabelsi ,

Thanks forthe quick response. I have to use alb ingress controller for now. I’m actually using Argo CD to deploy into eks cluster. The network policy is enabled as sonaqube pod was unable to access db without that. I didn’t chnage anything in network policy just enabled it. This is the service yaml that was generated.

apiVersion: v1
kind: Service
metadata:
  labels:
    app: sonarqube
    argocd.argoproj.io/instance: app-k8s-sonarqube
    chart: sonarqube-2.0.0_248
    heritage: Helm
    release: app-k8s-sonarqube
  name: app-k8s-sonarqube-sonarqube
  namespace: app-k8s-sonarqube-ns
spec:
  ports:
    - name: http
      port: 9000
      protocol: TCP
      targetPort: http
  selector:
    app: sonarqube
    release: app-k8s-sonarqube
  type: ClusterIP

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    app: sonarqube
    argocd.argoproj.io/instance: app-k8s-sonarqube
    chart: sonarqube-2.0.0_248
    heritage: Helm
    release: app-k8s-sonarqube
  name: app-k8s-sonarqube-sonarqube-network-policy
  namespace: app-k8s-sonarqube-ns
spec:
  egress:
    - ports:
        - port: 53
          protocol: UDP
      to:
        - namespaceSelector:
            matchLabels:
              networking/namespace: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
    - ports:
        - port: 5432
          protocol: TCP
      to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: postgresql
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: sonarqube
              release: app-k8s-sonarqube
      ports:
        - port: 9000
    - from:
        - namespaceSelector:
            matchLabels:
              networking/namespace: monitoring
      ports:
        - port: 8001
          protocol: TCP
        - port: 8000
          protocol: TCP
  podSelector:
    matchLabels:
      app: sonarqube
  policyTypes:
    - Ingress
    - Egress

this is not the way it’s supposed to be. network policies in the chart are optional and can be used if you have a security concern. if you don’t enable them and the connection to the DB is not possible, than there is possibly a deny all rule defined in your cluster. i would maybe start looking at this.

Apart from that I think you need to provide additional network policies to allow traffic from your ALB to sonarqube using networkPolicy.additionalNetworkPolicys.

Hi Tobias,

Thankyou so much for the response. Eventually the problem was at my end. I am supposed to use network policy, but I needed to add namespace of my app to the global policy which I wasn’t aware of.
So the issue is resolved and it was not Sonarqube related

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.