This plugin enables user authentication and Single Sign-On via OpenShift. It is based on the code by Julien Lancelot. Tested on version 7 of Sonarqube and OCP 3.11. It is intended to run deployed in a pod on OpenShift.

This plugin is designed to work out of the box without configuration. During plugin deployment, it looks up oauth information from OpenShift's well-known information and takes advantage of information already on the running pod.

During deployment the plugin will:

• Look up well-known oauth information at https://openshift.default.svc
• Pull the service account client_id, secret and cert from the file system
• Pull the OpenShift API location from the env variables of the pod
• Get the ServiceAccount name from the API
• Get the Route of the service that is coordinating sonarqube for callback. This relies on the service name being available in the configuration (via sonar.properties). As a fallback it will default to sonarqube

This plugin is currently hosted at rht-labs. The latest jar is here. You can build it locally and place this plugin on to the volume where Sonarqube reads plugins at startup if modifying it. Typically, this might be /opt/sonarqube/data/plugins.

The service account can be used as the oauth client in OpenShift. The service account that runs Sonarqube should have a redirect uri that references the route that Sonarqube is using. You must specify this service account in the DeploymentConfig.

- apiVersion: v1
  kind: ServiceAccount
  metadata:
    annotations:
      serviceaccounts.openshift.io/oauth-redirectreference.sonarqube: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"sonarqube"}}'
    name: sonarqube

The service account must have the ability to view routes in the project.

oc policy add-role-to-user view system:serviceaccount:sonarqube-project:sonarqube

The environment variable sonar.auth.openshift.isEnabled must be set to true. The preferred way is to place that value in the sonar.properties file during your container build:

sonar.auth.openshift.isEnabled=true

You may also enable it in the Administrative console

This plugin will map OpenShift groups to Sonarqube roles. These values are set with the property

sonar.auth.openshift.sar.groups=ocp-admin=sonar-administrators,ocp-users=sonar-users

This shows that Sonarqube will allow OpenShift users who are in the group ocp-admin users to be administrators with the role of sonar-administrators. Ordinary users will be added as sonar-users if they are OpenShift users in the group ocp-users. These OpenShift groups do not exist by default.

The default mapping value is:

sonar.auth.openshift.sar.groups=sonar-administrators=sonar-administrators,sonar-users=sonar-users

To disable certificate validation (not recommended for production) configure the ignore.certs property

ignore.certs=true

The pod that sonarqube runs in should have a valid certificate to access the OpenShift/Kubernetes API. The Oauth server may have a different certificate. That certificate needs to be loaded into the keystore. To do so, place the certificate on the container's file system (via configmap, dockerfile, etc...). Then configure the sonar property to point the location on the file system

oauth.cert=/opt/sonarqube/conf/oauth.crt

You may choose the background color of the log in button with the property

sonar.auth.openshift.button.color=#666666

Set the kubernetes API. In the example the API is set automatically with environment variables

kubernetes.service=https://${env:KUBERNETES_SERVICE_HOST}:${env:KUBERNETES_SERVICE_PORT}/

See the example set up using the OpenShift Applier here

Licensed under the Apache License