SONAR-25455 Integrate SonarQube Server with Istio

Author: carminevassallo

.cirrus/tasks_templates.yml

@@ -30,10 +30,10 @@ container_template: &STD_CONTAINER_TEMPLATE
 
 vm_instance_template: &VM_TEMPLATE
   image: docker-builder-v*
-  type: t2.xlarge
+  type: c5.4xlarge
   region: eu-central-1
-  cpu: 4
-  memory: 16Gb
+  cpu: 16
+  memory: 32Gb
 
 clone_script_template: &CLONE_SCRIPT_TEMPLATE
   clone_script: |

charts/sonarqube-dce/CHANGELOG.md

@@ -6,6 +6,7 @@ All changes to this chart will be documented in this file.
 * Upgrade nginx subchart to 4.12.3
 * Support Kubernetes v1.33
 * Added validation to ensure that either the `applicationNodes.jwtSecret` or `applicationNodes.jwtExistingSecret` value is set
+* Support the deployment with Istio
 
 ## [2025.3.0]
 * Update Chart's version to 2025.3.0

charts/sonarqube-dce/Chart.yaml

@@ -33,6 +33,8 @@ annotations:
       description: "Support Kubernetes v1.33"
     - kind: added
       description: "Added validation to ensure that either the applicationNodes.jwtSecret or applicationNodes.jwtExistingSecret value is set"
+    - kind: added
+      description: "Support the deployment with Istio"
   artifacthub.io/links: |
     - name: support
       url: https://community.sonarsource.com/

charts/sonarqube-dce/README.md

@@ -152,7 +152,7 @@ Prior to SonarQube Server Datacenter 10.8, we used a different naming convention
 
 Starting from 10.8, we advise users to rename your `ApplicationNodes` to `applicationNodes`. While this is a straightforward change for users, ensuring cross-compability between both usage is challenging (if you are interested in the technical implementation, please take a look at this [PR](https://github.com/SonarSource/helm-chart-sonarqube/pull/586)).
 
-Please report any encountered bugs to https://community.sonarsource.com/.
+Please report any encountered bugs to <https://community.sonarsource.com/>.
 
 #### Cpu and memory settings
 
@@ -251,6 +251,25 @@ kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/late
 
 ```
 
+## Working with Istio
+
+When deploying SonarQube in an Istio service mesh environment, you need to configure fixed ports for Hazelcast communication between application nodes. This is required because Istio's sidecar proxy needs to know all ports in advance for traffic management, security policies, and observability.
+
+By default, SonarQube's Hazelcast cluster uses dynamic port allocation, which conflicts with Istio's requirement for explicit port declarations in service definitions and network policies. To resolve this, you must set fixed ports for the following Hazelcast communication channels:
+
+* `applicationNodes.webPort` - Used by the Web process for cluster communication
+* `applicationNodes.cePort` - Used by the Compute Engine process for cluster communication
+
+**Example configuration:**
+
+```yaml
+applicationNodes:
+  webPort: 9001   # Web process communication
+  cePort: 9002    # Compute Engine process communication
+```
+
+This ensures that Istio can properly route traffic, apply security policies, and provide telemetry for all inter-node communication within the SonarQube cluster.
+
 ### Upgrading the Helm chart
 
 When upgrading your SonarQube instance, due to high CPU usage, it is recommended to disable the autoscaling before the upgrade process, re-enabling it afterwards.
@@ -344,7 +363,6 @@ The following table lists the configurable parameters of the SonarQube chart and
 | `searchNodes.affinity`                                    | Node / Pod affinities for searchNodes, global affinity takes precedence                    | `{}`                                                                   |
 | `searchNodes.tolerations`                                 | List of node taints to tolerate for searchNodes, global tolerations take precedence        | `[]`                                                                   |
 
-
 ### App Nodes Configuration
 
 | Parameter                                                        | Description                                                                                                                                                                                                    | Default                                                                |
@@ -432,7 +450,9 @@ The following table lists the configurable parameters of the SonarQube chart and
 | `applicationNodes.nodeSelector`                                  | Node labels for application nodes' pods assignment, global nodeSelector takes precedence                                                                                                                       | `{}`                                                                   |
 | `applicationNodes.affinity`                                      | Node / Pod affinities for applicationNodes, global affinity takes precedence                                                                                                                                   | `{}`                                                                   |
 | `applicationNodes.tolerations`                                   | List of node taints to tolerate for applicationNodes, global tolerations take precedence                                                                                                                       | `[]`                                                                   |
-
+| `applicationNodes.port`                                   | The Hazelcast port for communication with each application member of the cluster.                                                                                                                       | `9003`                                                                   |
+| `applicationNodes.webPort`                                   | The Hazelcast port for communication with the WebServer process. If not specified, a dynamic port will be chosen.                                                                                                                    | ``                                                                   |
+| `applicationNodes.cePort`                                   | The Hazelcast port for communication with the ComputeEngine process. If not specified, a dynamic port will be chosen                                                                                                                     | ``                                                                   |
 
 ### Generic Configuration
 
@@ -619,7 +639,6 @@ The bundled PostgreSQL Chart is deprecated. Please see <https://artifacthub.io/p
 | `extraConfig.secrets`    | A list of `Secret`s (which must contain key/value pairs)    | `[]`    |
 | `extraConfig.configmaps` | A list of `ConfigMap`s (which must contain key/value pairs) | `[]`    |
 
-
 ### SetAdminPassword
 
 | Parameter                                    | Description                                                                                            | Default                                                                |
@@ -635,7 +654,6 @@ The bundled PostgreSQL Chart is deprecated. Please see <https://artifacthub.io/p
 | `setAdminPassword.image`                     | Curl container image                                                                                   | `"image.repository":"image.tag"`                                       |
 | `setAdminPassword.annotations`               | Custom annotations for admin hook Job                                                                  | `{}`                                                                   |
 
-
 ### Advanced Options
 
 | Parameter                           | Description                                                                                                                                                                    | Default                                                                |

charts/sonarqube-dce/templates/_helpers.tpl

@@ -563,3 +563,41 @@ Remove incompatible user/group values that do not work in Openshift out of the b
   {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Generate required Hazelcast cluster properties when custom ports are configured.
+This helper automatically sets the sonar.cluster.node properties when any of the
+Hazelcast ports (port, webPort, cePort) are configured, ensuring proper cluster communication.
+*/}}
+{{- define "sonarqube.hazelcastProperties" -}}
+{{- $props := dict -}}
+{{- if .Values.ApplicationNodes.port -}}
+{{- $_ := set $props "sonar.cluster.node.port" (.Values.ApplicationNodes.port | toString) -}}
+{{- end -}}
+{{- if .Values.ApplicationNodes.webPort -}}
+{{- $_ := set $props "sonar.cluster.node.web.port" (.Values.ApplicationNodes.webPort | toString) -}}
+{{- end -}}
+{{- if .Values.ApplicationNodes.cePort -}}
+{{- $_ := set $props "sonar.cluster.node.ce.port" (.Values.ApplicationNodes.cePort | toString) -}}
+{{- end -}}
+{{- toYaml $props -}}
+{{- end -}}
+
+{{/*
+Merge user-provided sonarProperties with automatically generated Hazelcast properties.
+User-provided properties take precedence over automatically generated ones.
+*/}}
+{{- define "sonarqube.mergedSonarProperties" -}}
+{{- $hazelcastProps := fromYaml (include "sonarqube.hazelcastProperties" .) | default dict -}}
+{{- $userProps := .Values.ApplicationNodes.sonarProperties | default dict -}}
+{{- $merged := dict -}}
+{{- /* Start with automatically generated properties */}}
+{{- range $key, $val := $hazelcastProps -}}
+  {{- $_ := set $merged $key $val -}}
+{{- end -}}
+{{- /* User properties override automatic ones */}}
+{{- range $key, $val := $userProps -}}
+  {{- $_ := set $merged $key $val -}}
+{{- end -}}
+{{- toYaml $merged -}}
+{{- end -}}

charts/sonarqube-dce/templates/change-admin-password-hook.yaml

@@ -33,6 +33,9 @@ spec:
       {{- range $key, $value := .Values.service.labels }}
         {{ $key }}: {{ $value | quote }}
       {{- end }}
+      annotations:
+        # Disable Istio sidecar injection for this hook pod
+        "sidecar.istio.io/inject": "false"
     spec:
       restartPolicy: OnFailure
       {{- if or .Values.ApplicationNodes.image.pullSecrets .Values.ApplicationNodes.image.pullSecret }}

charts/sonarqube-dce/templates/config.yaml

@@ -12,7 +12,8 @@ metadata:
     heritage: {{ .Release.Service }}
 data:
   sonar.properties: |
-  {{- range $key, $val := .Values.ApplicationNodes.sonarProperties }}
+  {{- $mergedProps := fromYaml (include "sonarqube.mergedSonarProperties" .) | default dict }}
+  {{- range $key, $val := $mergedProps }}
     {{ $key }}={{ $val }}
   {{- end }}
   {{- if .Values.sonarSecretKey }}

charts/sonarqube-dce/templates/service.yaml

@@ -68,10 +68,25 @@ spec:
   clusterIP: None
   publishNotReadyAddresses: true
   ports:
-    - port: 9003
+    - port: {{ .Values.ApplicationNodes.port | default 9003 }}
       targetPort: hazelcast
       protocol: TCP
+      appProtocol: tcp
       name: hazelcast
+    {{- if .Values.ApplicationNodes.webPort }}
+    - port: {{ .Values.ApplicationNodes.webPort }}
+      targetPort: hazelcast-web
+      protocol: TCP
+      appProtocol: tcp
+      name: hazelcast-web
+    {{- end }}
+    {{- if .Values.ApplicationNodes.cePort }}
+    - port: {{ .Values.ApplicationNodes.cePort }}
+      targetPort: hazelcast-ce
+      protocol: TCP
+      appProtocol: tcp
+      name: hazelcast-ce
+    {{- end }}
   selector:
     app: {{ template "sonarqube.name" . }}
     release: {{ .Release.Name }}

charts/sonarqube-dce/templates/sonarqube-application.yaml

@@ -102,7 +102,8 @@ spec:
             {{- . | toYaml | trim | nindent 12 }}
           {{- end }}
       {{- end }}
-      {{- if or .Values.ApplicationNodes.sonarProperties .Values.ApplicationNodes.sonarSecretProperties .Values.sonarSecretKey }}
+      {{- $hasMergedProps := or .Values.ApplicationNodes.sonarProperties .Values.ApplicationNodes.port .Values.ApplicationNodes.webPort .Values.ApplicationNodes.cePort }}
+      {{- if or $hasMergedProps .Values.ApplicationNodes.sonarSecretProperties .Values.sonarSecretKey }}
         - name: concat-properties
           image: {{ default (include "sonarqube.image" .) .Values.initContainers.image }}
           imagePullPolicy: {{ .Values.ApplicationNodes.image.pullPolicy  }}
@@ -121,7 +122,7 @@ spec:
               awk 1 /tmp/props/sonar.properties /tmp/props/secret.properties > /tmp/result/sonar.properties
             fi
           volumeMounts:
-          {{- if or .Values.ApplicationNodes.sonarProperties .Values.sonarSecretKey }}
+          {{- if or $hasMergedProps .Values.sonarSecretKey }}
             - mountPath: /tmp/props/sonar.properties
               name: config
               subPath: sonar.properties
@@ -248,8 +249,18 @@ spec:
               protocol: TCP
             {{- end }}
             - name: hazelcast
-              containerPort: 9003
+              containerPort: {{ .Values.ApplicationNodes.port | default 9003 }}
               protocol: TCP
+            {{- if .Values.ApplicationNodes.webPort }}
+            - name: hazelcast-web
+              containerPort: {{ .Values.ApplicationNodes.webPort }}
+              protocol: TCP
+            {{- end }}
+            {{- if .Values.ApplicationNodes.cePort }}
+            - name: hazelcast-ce
+              containerPort: {{ .Values.ApplicationNodes.cePort }}
+              protocol: TCP
+            {{- end }}
           resources:
 {{ toYaml (default .Values.ApplicationNodes.resources .Values.resource) | indent 12 }}
           env:
@@ -338,7 +349,7 @@ spec:
           securityContext: {{- . | nindent 12 }}
           {{- end }}
           volumeMounts:
-            {{- if or .Values.ApplicationNodes.sonarProperties .Values.ApplicationNodes.sonarSecretProperties .Values.sonarSecretKey }}
+            {{- if or $hasMergedProps .Values.ApplicationNodes.sonarSecretProperties .Values.sonarSecretKey }}
             - mountPath: {{ .Values.sonarqubeFolder }}/conf/sonar.properties
               subPath: sonar.properties
               name: concat-dir
@@ -415,7 +426,7 @@ spec:
     {{- end }}
       serviceAccountName: {{ template "sonarqube.serviceAccountName" . }}
       volumes:
-      {{- if or .Values.ApplicationNodes.sonarProperties .Values.sonarSecretKey }}
+      {{- if or $hasMergedProps .Values.sonarSecretKey }}
       - name: config
         configMap:
           name: {{ template "sonarqube.fullname" . }}-app-config
@@ -493,7 +504,7 @@ spec:
         emptyDir: {{- toYaml .Values.emptyDir | nindent 10 }}
       - name : tmp-dir
         emptyDir: {{- toYaml .Values.emptyDir | nindent 10 }}
-        {{- if or .Values.ApplicationNodes.sonarProperties .Values.ApplicationNodes.sonarSecretProperties .Values.sonarSecretKey }}
+        {{- if or $hasMergedProps .Values.ApplicationNodes.sonarSecretProperties .Values.sonarSecretKey }}
       - name : concat-dir
         emptyDir: {{- toYaml .Values.emptyDir | nindent 10 -}}
         {{- end }}

charts/sonarqube-dce/values.yaml

@@ -412,6 +412,15 @@ applicationNodes:
   # if the global .Values.tolerations is set, the following one will be ignored
   tolerations: []
 
+  ## The following values are used to set the ports for the Hazelcast cluster communication
+  # The port used by the application nodes to communicate with each other. (If unset, it will be assigned to 9003)
+  # port: 9003
+  # The port used by the web process to communicate with other application nodes (If unset, it will be dynamically allocated)
+  # webPort: 4023
+  # The port used by the compute engine process to communicate with other application nodes (If unset, it will be dynamically allocated)
+  # cePort: 4024
+
+
 ## This sets the TLS encryption between application and search nodes
 nodeEncryption:
   enabled: false