SonarQube
SonarQube Community Build provides code quality and security analysis. The HelmForge chart deploys the official SonarQube image with PostgreSQL integration, plugin automation, and operational guardrails.
Key Features
- Official
docker.io/library/sonarqubeimage pinned to26.4.0.121862-community - HelmForge PostgreSQL dependency or external PostgreSQL
- Plugin download init container
- First-class community branch plugin wiring, Java agents, and webapp replacement support
- Gateway API, Ingress, dual-stack Service fields, NetworkPolicy, PDB, persistence, and Helm tests
- External Secrets Operator support for database credentials
Installation
helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install sonarqube helmforge/sonarqube --namespace sonarqube --create-namespacehelm install sonarqube oci://ghcr.io/helmforgedev/helm/sonarqube --namespace sonarqube --create-namespaceExamples
Bundled PostgreSQL:
sonarqube:
databaseMode: postgresql
postgresql:
enabled: true
auth:
database: sonarqube
username: sonar
password: change-meCommunity branch plugin:
communityBranchPlugin:
enabled: true
version: '26.4.0'Operations
SonarQube embeds Elasticsearch and has host kernel requirements for production bootstrap checks. The chart keeps local evaluation approachable, but production clusters should satisfy SonarQube host requirements and use PostgreSQL, either bundled or external.
Architecture
The chart runs SonarQube Community Build with one of three database paths:
embeddedfor disposable local validationpostgresqlfor the HelmForge PostgreSQL subchartexternalfor a platform-managed PostgreSQL database
SonarQube also embeds Elasticsearch for search. That makes node kernel settings, persistent data, and startup probes part of the production contract.
Production Values
Use PostgreSQL, persistent data and extensions volumes, and production bootstrap checks:
sonarqube:
databaseMode: external
esBootstrapChecksDisable: false
database:
external:
jdbcUrl: jdbc:postgresql://postgresql.database.svc.cluster.local:5432/sonarqube
username: sonar
existingSecret: sonarqube-database
existingSecretPasswordKey: jdbc-password
persistence:
data:
enabled: true
size: 50Gi
extensions:
enabled: true
size: 10Gi
networkPolicy:
enabled: true
egress:
enabled: true
pdb:
enabled: trueBundled HelmForge PostgreSQL is useful for self-contained releases:
sonarqube:
databaseMode: postgresql
esBootstrapChecksDisable: false
postgresql:
enabled: true
auth:
database: sonarqube
username: sonar
password: change-me
standalone:
persistence:
enabled: true
size: 50GiHost Requirements
Production nodes must satisfy SonarQube’s Elasticsearch requirements before enabling bootstrap checks:
vm.max_map_count=524288fs.file-max=131072- file descriptor limit of
131072 - process limit of
8192
Keep sonarqube.esBootstrapChecksDisable=true only for local and disposable environments.
Plugins
The chart can download plugins during initialization:
plugins:
enabled: true
install:
- name: sonar-auth-oidc
url: https://artifacts.example.com/sonar-auth-oidc.jarUse an internal artifact repository for production. Startup should not depend on public internet availability.
Community Branch Plugin
Community Branch Plugin wiring is explicit because it replaces web application files and adds Java agents:
communityBranchPlugin:
enabled: true
version: '26.4.0'
plugins:
enabled: true
persistence:
extensions:
enabled: true
size: 10GiKeep the plugin major and minor version aligned with the SonarQube major and minor version. Mirror jarUrl and
webappUrl internally when outbound internet is restricted.
Networking
Ingress example:
ingress:
enabled: true
ingressClassName: nginx
hosts:
- host: sonarqube.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: sonarqube-tls
hosts:
- sonarqube.example.comGateway API uses gatewayAPI for this chart:
gatewayAPI:
enabled: true
parentRefs:
- name: public-gateway
namespace: gateway-system
hostnames:
- sonarqube.example.comValidation
After deployment:
helm test sonarqube -n sonarqube
kubectl get pods -n sonarqube -l app.kubernetes.io/name=sonarqube
kubectl logs -n sonarqube deploy/sonarqube --since=10m
kubectl get events -n sonarqube --sort-by=.lastTimestampAlso validate the UI system status, a project scan, plugin loading, and branch analysis when the community branch plugin is enabled.
Common Issues
| Symptom | Likely Cause | Fix |
|---|---|---|
| Elasticsearch bootstrap check fails | Node kernel limits are too low | Configure node sysctls and process/file limits. |
| Plugin disappears after restart | Extensions persistence disabled | Enable persistence.extensions. |
| Startup waits forever for DB | JDBC URL, Secret key, or network policy is wrong | Check DB Secret, DNS, and egress policy. |
| Branch plugin fails after upgrade | Plugin version mismatches SonarQube | Align plugin and SonarQube major/minor versions. |
Values
| Parameter | Default | Description |
|---|---|---|
image.repository | docker.io/library/sonarqube | Official SonarQube image. |
image.tag | 26.4.0.121862-community | SonarQube Community Build tag. |
sonarqube.databaseMode | auto | Database mode: auto, embedded, postgresql, or external. |
postgresql.enabled | false | Deploy HelmForge PostgreSQL dependency. |
waitForDatabase.enabled | true | Wait for PostgreSQL before startup. |
plugins.enabled | false | Enable plugin download init container. |
communityBranchPlugin.enabled | false | Install and wire the community branch plugin. |
persistence.data.enabled | true | Persist SonarQube data. |
gatewayAPI.enabled | false | Render Gateway API HTTPRoute. |
externalSecrets.enabled | false | Render ExternalSecret resources. |