Difficulty: Introduction
Estimated Time: 10 minutes

SonarQube on Kubernetes

SonarQube

SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security vulnerabilities. -- Wikipedia

Setting up your SonarQube services as fragile snowflakes is both common and not a recommended technique. Any developer should be able to quickly start a personal SonarQube service as well as rely on a team's service that matches the same behaviors. The latest SonarQube version, it's plugins and it's configurations should also be easily adjustable. Your software development lifecycle processes (SDLC) should embrace the versioned configuration and deployment of SonarQube across a variety of cattle (not pets) targets.

Follow these instructions to setup a personal SonarQube engine and dashboard. With this you have a strong, static code analysis tool backing your code all before you submit your work for a pull request. Within SonarQube there are plugins such as Checkstyle, PMD and Findbugs. The Findbugs plugin includes rules for vulnerabilities such as the OWASP top 10.

You will learn how:

  • to install SonarQube onto Kubernetes
  • to use Helm to install SonarQube
  • to configure SonarQube plugins with the chart
  • to access the SonarQube Dashboard
  • to analyze code and inspect results with a Gradle plugin

Conclusion

Most developers who know about static code analysis know about SonarQube. While each language typically has its own linting and code analysis tools, SonarQube offers a unifying tools for many languages and teams. Additionally, SonarQube with its database offers the additional dimension of time to trend your metrics over time.

This tutorial shows how you can easily use Kubernetes as a place to host a highly available server for you and your team.

Lessons Learned

With these steps you have learned how:

  • to install SonarQube onto Kubernetes
  • to use Helm to install SonarQube
  • to configure SonarQube plugins with the chart
  • to access the SonarQube Dashboard
  • to analyze code and inspect results with a Gradle plugin

Additional Information


No Fluff Just Stuff

For a deeper understanding of these topics and more join me, Jonathan Johnson, for a transcendent experience on the No Fluff Just Stuff Software Symposium Tour.

SonarQube

Step 1 of 4

Your Kubernetes Cluster

As you see, your Kubernetes cluster is started. Verify it's ready for your use.

kubectl version && kubectl cluster-info && kubectl get nodes

Verify the Kubernetes cluster is empty.

kubectl get deployments,pods,services

The Helm package manager used for installing applications on Kubernetes is also available.

helm version

Kubernetes Dashboard

As an administrator, you can control the cluster with the kubectl CLI tool. You can also use the Kubernetes Dashboard. Because the dashboard can be accessed publicly, it is protected and requires the secret access token to sign in. Because you have administration access to this cluster, copy the token from this secret.

export TOKEN=$(kubectl describe secret $(kubectl get secret | awk '/^dashboard-token-/{print $1}') | awk '$1=="token:"{print $2}') && echo -e "\n--- Copy and paste this token for dashboard access --\n$TOKEN\n---"

To access the dashboard, click on the Kubernetes Dashboard tab above the command line or from this link: https://[[HOST_SUBDOMAIN]]-30000-[[KATACODA_HOST]].environments.katacoda.com/. At the sign in prompt select Token and paste in the token, you copied a moment ago.

For publicly exposed Kubernetes clusters always lock any kind of Kubernetes administration access including access to the dashboard.

Terminal
Kubernetes Dashboard
SonarQube Dashboard