Integrated bb-common
General MR
Summary
- Integrated bb-common and replaced static resources with bb-common generated resources
- Disabled telemetry to reduce outbound calls
- Fixed label and tls config in service monitor so that it works properly
Relevant logs/screenshots
Prior to Upgrade
No Service Monitors Present:
Peer authentication applied to workloads using label of upstream which don't exist:
Logs from istio-proxy show failed calls when hardening is enabled due to missing service entries:
kubectl logs sonarqube-sonarqube-0 -c istio-proxy -n sonarqube | grep BlackHoleCluster
[2026-01-12T14:18:21.175Z] "- - -" 0 UH - - "-" 0 0 469 - "-" "-" "-" "-" "-" BlackHoleCluster; - 54.247.131.127:443 10.42.0.6:35788 telemetry.sonarsource.com - traceID=-
[2026-01-12T14:18:21.647Z] "- - -" 0 UH - - "-" 0 0 13 - "-" "-" "-" "-" "-" BlackHoleCluster; - 52.208.126.91:443 10.42.0.6:52392 telemetry.sonarsource.com - traceID=-
[2026-01-12T14:43:35.053Z] "- - -" 0 UH - - "-" 0 0 10 - "-" "-" "-" "-" "-" BlackHoleCluster; - 3.175.34.123:443 10.42.0.6:40908 downloads.sonarsource.com - traceID=-
[2026-01-12T14:43:35.133Z] "- - -" 0 UH - - "-" 0 0 19 - "-" "-" "-" "-" "-" BlackHoleCluster; - 3.175.34.60:443 10.42.0.6:54926 downloads.sonarsource.com - traceID=-
[2026-01-12T14:43:35.165Z] "- - -" 0 UH - - "-" 0 0 74 - "-" "-" "-" "-" "-" BlackHoleCluster; - 3.175.34.35:443 10.42.0.6:45954 downloads.sonarsource.com - traceID=-
[2026-01-12T14:43:35.241Z] "- - -" 0 UH - - "-" 0 0 8 - "-" "-" "-" "-" "-" BlackHoleCluster; - 3.175.34.49:443 10.42.0.6:38726 downloads.sonarsource.com - traceID=-
[2026-01-12T14:43:40.683Z] "- - -" 0 UH - - "-" 0 0 7 - "-" "-" "-" "-" "-" BlackHoleCluster; - 3.175.34.123:443 10.42.0.6:40912 downloads.sonarsource.com - traceID=-
[2026-01-12T14:43:40.691Z] "- - -" 0 UH - - "-" 0 0 6 - "-" "-" "-" "-" "-" BlackHoleCluster; - 3.175.34.60:443 10.42.0.6:54938 downloads.sonarsource.com - traceID=-
[2026-01-12T14:43:40.698Z] "- - -" 0 UH - - "-" 0 0 34 - "-" "-" "-" "-" "-" BlackHoleCluster; - 3.175.34.35:443 10.42.0.6:45968 downloads.sonarsource.com - traceID=-
[2026-01-12T14:43:40.733Z] "- - -" 0 UH - - "-" 0 0 6 - "-" "-" "-" "-" "-" BlackHoleCluster; - 3.175.34.49:443 10.42.0.6:38728 downloads.sonarsource.com - traceID=-kubectl get netpol -n sonarqube
NAME POD-SELECTOR AGE
allow-dns-egress <none> 22m
allow-helm-test-egress helm-test=enabled 22m
allow-https-egress app=sonarqube 22m
allow-in-ns <none> 22m
allow-istio <none> 22m
allow-istiod-egress <none> 22m
allow-monitoring-ingress <none> 22m
allow-tempo-egress <none> 22m
default-deny <none> 22mkubectl get ap -n sonarqube
NAME ACTION AGE
allow-http-envoy-prom-policy ALLOW 22m
allow-http-policy ALLOW 22m
allow-intranamespace-sonarqube ALLOW 22m
allow-postgres-intra-namespace ALLOW 22m
tempo-authz-policy ALLOW 22mkubectl get se -n sonarqube
NAME HOSTS LOCATION RESOLUTION AGE
sonarqube-allow-cypress-tests ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","sonarqube.dev.bigbang.mil"] MESH_EXTERNAL DNS 22mkubectl get pa -n sonarqube
NAME MODE AGE
default-sonarqube STRICT 23m
sonarqube-podmonitor-exception STRICT 23mkubectl get vs -n sonarqube
NAME GATEWAYS HOSTS AGE
sonarqube-sonarqube ["istio-gateway/public-ingressgateway"] ["sonarqube.dev.bigbang.mil"] 23mAfter Bb-common Integration
Service monitor present and functional by default:
NOTE: Upstream does provide a podMonitor resource, however, it does not play well with the service mesh.
Istio Configuration Shows Clean:
Logs from istio-proxy now only showing failed calls to telemetry which has been disabled anyway:
kubectl logs sonarqube-sonarqube-0 -c istio-proxy -n sonarqube | grep BlackHoleCluster
[2026-01-12T17:26:53.661Z] "- - -" 0 UH - - "-" 0 0 97 - "-" "-" "-" "-" "-" BlackHoleCluster; - 52.208.126.91:443 10.42.3.13:36340 telemetry.sonarsource.com - traceID=-
[2026-01-12T17:26:53.760Z] "- - -" 0 UH - - "-" 0 0 6 - "-" "-" "-" "-" "-" BlackHoleCluster; - 54.247.131.127:443 10.42.3.13:33332 telemetry.sonarsource.com - traceID=-NOTE: Telemetry was disabled in accordance with upstream's documentation so this may just be a one-time thing. It's hard to know, however, as it only reaches out to telemetry once every 24 hours.
kubectl get netpol -n sonarqube
NAME POD-SELECTOR AGE
allow-egress-from-sonarqube-to-code-repository app=sonarqube 27m
allow-egress-from-sonarqube-to-ns-tempo-pod-tempo-tcp-port-9411 app=sonarqube 27m
allow-egress-from-sonarqube-to-sonarsource-marketplace app=sonarqube 27m
allow-ingress-to-sonarqube-9000-from-ns-istio-gateway-pod-public-ingressgateway app=sonarqube 27m
allow-ingress-to-sonarqube-tcp-ports-8000-8001-9000-from-ns-monitoring-pod-prometheus app=sonarqube 27m
default-egress-allow-all-in-ns <none> 27m
default-egress-allow-istiod <none> 27m
default-egress-allow-kube-dns <none> 27m
default-egress-deny-all <none> 27m
default-ingress-allow-all-in-ns <none> 27m
default-ingress-allow-prometheus-to-istio-sidecar <none> 27m
default-ingress-deny-all <none> 27mkubectl get ap -n sonarqube
NAME ACTION AGE
allow-ingress-to-sonarqube-tcp-ports-8000-8001-9000-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus ALLOW 27m
allow-intranamespace-sonarqube ALLOW 43m
default-authz-allow-all-in-ns ALLOW 27m
default-authz-allow-nothing 27m
sonarqube-public-ingressgateway-authz-policy ALLOW 27mkubectl get se -n sonarqube
NAME HOSTS LOCATION RESOLUTION AGE
bb-tests-external ["repo1.dso.mil"] MESH_EXTERNAL DNS 27m
sonarqube-allow-cypress-tests ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","sonarqube.dev.bigbang.mil"] MESH_EXTERNAL DNS 43m
sonarqube-internal ["sonarqube.dev.bigbang.mil"] MESH_EXTERNAL DNS 27m
sonarqube-marketplace-external ["github.com","release-assets.githubusercontent.com","downloads.sonarsource.com"] MESH_EXTERNAL DNS 27mkubectl get pa -n sonarqube
NAME MODE AGE
default-peer-auth STRICT 27mkubectl get vs -n sonarqube
NAME GATEWAYS HOSTS AGE
sonarqube ["istio-gateway/public-ingressgateway"] ["sonarqube.dev.bigbang.mil"] 27mLinked Issue
Upgrade Notices
Sonarqube is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.
Please note that two new definitions have been created as part of this integration to allow these policies to be more tailored to a given environment:
sonarsource-marketplace:
to:
- ipBlock:
cidr: "0.0.0.0/0"
except:
- 169.254.169.254/32
ports:
- port: 443
protocol: TCPThis policy allows communication to the sonarsource marketplace which is required for receiving updates to any installed plugins. Currently, this will be enabled automatically if any plugins are specified in the helm chart for Sonarqube or if networkPolicies.egressHttps.enabled is set to true.
NOTE: Unfortunately, Sonarsource does not have a documented list of IP addresses or ranges they use, but if this changes in the future the
cidrvalue can be updated to further restrict access.
code-repository:
to:
- ipBlock:
cidr: "0.0.0.0/0"
except:
- 169.254.169.254/32This network policy is enabled by default as it allows Sonarqube to access the code repository in order to perform its desired function. The cidr section can be updated to reflect the proper IP address for your code repository. It is also automatically enalbed if networkPolicies.egressHttps.enabled is set to true.
Both definitions can be disabled/enabled manually as well if needed as shown below:
networkPolicies:
egress:
from:
sonarqube:
podSelector:
matchLabels:
app: sonarqube
to:
definition:
sonarsource-marketplace: false # To disable access to Sonarsource marketplace
code-repository: false # To disable access to a code-repositoryNOTE: Please note that the
networkPolicies.egressHttps.enabledvalue will be deprecated in the next major Big Bang release (4.0) so it is recommended to switch over to using the new definitions provided by bb-common.
Umbrella Branch
sonarqube-bb-common