Automating Sonarqube Upgrades with Ansible

Sonarqube is an excellent tool in order to improve/maintain code quality. It analyzes the code written by a developer and generates a report flagging any potential security or code quality issues. It works across multiple languages and is easy to integrate with DevOps tools. In our case, we have integrated it with GitHub using GitHub Actions; every time a developer creates a pull request with their changes, it triggers a GitHub Action to run sonarqube analysis on the new code, and if the new code does not pass the code standards we configured as part of Sonarqube, the pull request is flagged and cannot be merged till those issues are resolved. In this way, Sonarqube forces us to write clean code with proper conventions.

Sonarqube usually releases a new version of the product every 2–3 months, which means if we want to use the latest version, someone has to go to that server and update the application on a periodic basis. This seems like a repetitive task and becomes boring if we have to do it again and again. Here’s where Ansible comes to our rescue. To automate this task, we will create an ansible role that will download the new version of the app, install it and then configure Sonarqube with the required configurations.

Here is the step-by-step procedure to do this:

1. Make sure ansible is installed on your server. If not, you can install ansible

brew search ansible
brew install ansible@2.9
ansible --version

2. Create the required directory structure for the ansible project. In my case, I keep all my ansible roles in a central directory

2. Create an ansible role named sonarqube_upgrade in the roles directory. The ansible-galaxy command comes bundled with Ansible. After running this command, you will notice a new set of directories will be created. Each of these directories has a specific purpose and contains a main.yml

ansible-galaxy init sonarqube_upgrade

3. Let's start with the tasks directory. This contains the list of steps that will be executed by the role and is our entry point. Basically, we download a new version of sonarqube, update its configurations through templates, and then point the sonarqube symlink to this new directory. The systemd service file always points to this symlink which points to the latest version of the sonarqube. This, way after this upgrade the app can be started/stopped via the same sytemctl commands

4. Next, we will create a new template in the templates directory which will be used to update the conf/sonar.properties file which contains the sonarqube configurations. Here is a sample configuration file that contains configs related to the database and web server. Ansible templates use Jinja2 to generate dynamic files at runtime. Similarly, we can also create a template for the systemd service file (sample file present in the GitHub repo)

5. Then, for the last step, we will update the vars directory file. This contains the actual values which we want to use such as the actual sonarqube upgrade version, database username, password, etc.

6. Now, we have our ansible role ready. Before we execute the role, we have to update the playbook to refer to the role we would like to execute. Just specify the role which we created in the above step

7. In order to run this ansible role and upgrade the sonarqube app, run the following command:

ansible-playbook -v -i  "inventories/dev/hosts" site.yml -u username

Let’s discuss the specified parameters:

• ansible-playbook is the command to execute ansible playbooks
• -v is for verbose. With this parameter ansible prints more debug messages. Adding multiple -v will increase verbosity (example: ‘ -vvv’ )
• -i is to specify the inventory file which contains the servers we want to target
• site.yml is the playbook filename we want to execute
• -u specifies the username to connect with the target host

After this step, the playbook will prompt for the specified user's password, and on successful entry, execute the playbook.

Note: It is not a good practice to keep your secrets such as credentials in plaintext. Ansible comes inbuilt with Ansible Vault which can be used to encrypt individual files. To encrypt the file, use the following command:

 ansible-vault encrypt roles/sonarqube_upgrade/vars/main.yml

This will prompt the user to enter a password and then confirm it once. After this, the file will be encrypted as confirmed by the message “Encryption successful”. The default cipher for ansible-vault is AES which can be confirmed with the first row in the encrypted file.

Similarly to decrypt the file, use the following command to decrypt the file back to plaintext:

 ansible-vault decrypt roles/sonarqube_upgrade/vars/main.yml

Thats it! Hopefully, this will be helpful for someone to automate sonarqube upgrades. All of the code samples for this exercise are available on GitHub