From c6ee6c0e2c3723c065e288ba77897df81c45214c Mon Sep 17 00:00:00 2001 From: Tobias Trabelsi <64127335+tobias-trabelsi-sonarsource@users.noreply.github.com> Date: Mon, 15 Nov 2021 16:17:01 +0100 Subject: [PATCH] SONAR-15656 added more documentation about the PKCS11 container --- server/sonar-docs/src/pages/setup/operate-cluster.md | 9 ++++++++- .../src/pages/setup/sonarqube-cluster-on-kubernetes.md | 9 +++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/server/sonar-docs/src/pages/setup/operate-cluster.md b/server/sonar-docs/src/pages/setup/operate-cluster.md index 4d076889425..398541291a6 100644 --- a/server/sonar-docs/src/pages/setup/operate-cluster.md +++ b/server/sonar-docs/src/pages/setup/operate-cluster.md @@ -155,6 +155,9 @@ Property | Description | Default | Required [[info]] | This configuration is optional. To secure access to your setup, you may want to first limit access to the nodes in your network. Elasticsearch authentication just adds another layer of security. +[[warning]] +| When creating the PKCS#12 container, make sure it is created with an algorithm that is readable by Java 11. + For Elasticsearch authentication, the following properties need to be configured on specific nodes: #### Application nodes @@ -171,7 +174,8 @@ Property | Description | Default | Required `sonar.cluster.es.ssl.keystorePassword`|Password to the keystore.| |no `sonar.cluster.es.ssl.truststorePassword`|Password to the truststore.| | no -When you're using Docker image, truststore and keystore should be provided as volumes. +When you're using the SonarSource Docker images, the truststore/keystore should be provided as volumes. +On Kubernetes, you need to create a new Secret from the truststore/keystore and provide the name to the Helm chart. ## Limitations * Cluster downtime is required for SonarQube upgrades or plugin installations. @@ -189,3 +193,6 @@ Yes, but it's best to have one machine for each node to be resilient to failures ### Can the members of a cluster be discovered automatically? No, all nodes must be configured in _$SONARQUBE-HOME/conf/sonar.properties_ + +### My keystore/truststore cannot be read by SonarQube +Make sure that the keystore/truststore in question was generated with an algorithm that is known to Java 11. See [JDK-8267599](https://bugs.openjdk.java.net/browse/JDK-8267599) for reference \ No newline at end of file diff --git a/server/sonar-docs/src/pages/setup/sonarqube-cluster-on-kubernetes.md b/server/sonar-docs/src/pages/setup/sonarqube-cluster-on-kubernetes.md index 349b90deee6..6dfa809e7e7 100644 --- a/server/sonar-docs/src/pages/setup/sonarqube-cluster-on-kubernetes.md +++ b/server/sonar-docs/src/pages/setup/sonarqube-cluster-on-kubernetes.md @@ -141,6 +141,15 @@ With JSON Logging enabled, you can define a LogQL Query like this to filter only {namespace="sonarqube-dce", app="sonarqube-dce"}| json | severity="ERROR" | line_format "{{.nodename}} {{.message}}" ``` +### ES Cluster Authentication + +Since SonarQube 8.9, you can enable basic security for the Search Cluster in SonarQube. To benefit from this additional layer of security on Kubernetes as well, you need to provide a PKCS#11 Container with the required certificates to our Helm chart. +The required secret can be created like this: + +```bash +kubectl create secret generic --from-file=/PATH/TO/YOUR/PKCS12.container=elastic-stack-ca.p12 -n +``` + ### Other Configuration Options This documentation only contains the most important Helm chart customizations. See the [Customize the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing) documentation and the Helm chart [README](https://github.com/SonarSource/helm-chart-sonarqube/tree/master/charts/sonarqube-dce) for more possibilities on customizing the Helm chart. -- 2.39.5