From 8e26a4b5cc2d9ad1f3f5ed77aa97f89c59dda73b Mon Sep 17 00:00:00 2001
From: Carmine Vassallo <carmine.vassallo@sonarsource.com>
Date: Fri, 24 Jan 2025 15:30:50 +0100
Subject: [PATCH] SONAR-24184 Define the structure for 2025.2.0 cycle

---
 .cirrus/tasks.yml                 | 69 ++++++++++++++++++++------
 2025/datacenter/app/Dockerfile    | 78 +++++++++++++++++++++++++++++
 2025/datacenter/app/run.sh        | 50 +++++++++++++++++++
 2025/datacenter/app/sonar.sh      |  3 ++
 2025/datacenter/search/Dockerfile | 81 +++++++++++++++++++++++++++++++
 2025/datacenter/search/run.sh     | 38 +++++++++++++++
 2025/datacenter/search/sonar.sh   |  3 ++
 2025/developer/Dockerfile         | 76 +++++++++++++++++++++++++++++
 2025/developer/entrypoint.sh      | 13 +++++
 2025/enterprise/Dockerfile        | 76 +++++++++++++++++++++++++++++
 2025/enterprise/entrypoint.sh     | 13 +++++
 11 files changed, 485 insertions(+), 15 deletions(-)
 create mode 100644 2025/datacenter/app/Dockerfile
 create mode 100755 2025/datacenter/app/run.sh
 create mode 100755 2025/datacenter/app/sonar.sh
 create mode 100644 2025/datacenter/search/Dockerfile
 create mode 100755 2025/datacenter/search/run.sh
 create mode 100755 2025/datacenter/search/sonar.sh
 create mode 100644 2025/developer/Dockerfile
 create mode 100755 2025/developer/entrypoint.sh
 create mode 100644 2025/enterprise/Dockerfile
 create mode 100755 2025/enterprise/entrypoint.sh

diff --git a/.cirrus/tasks.yml b/.cirrus/tasks.yml
index 15ca5f2ba..ed8d18b59 100644
--- a/.cirrus/tasks.yml
+++ b/.cirrus/tasks.yml
@@ -15,9 +15,11 @@ env:
   GCLOUD_PRODUCT_NAME: official-sonarqube-data-center-edition
   GCLOUD_STAGING_REGISTRY: gcr.io/sonarqube-marketplace-provider
   GCLOUD_STAGING_PRODUCT_NAME: sonarqube-dce-staging
-  CURRENT_LTA_VERSION: 9.9.8
+  CURRENT_LTA_VERSION: 2025.1.0
   CURRENT_VERSION: 2025.1.0
-  NEXT_VERSION: 2025.1.0
+  NEXT_VERSION: 2025.2.0
+  # We keep the previous LTA support for the next 6 months
+  PREVIOUS_LTA_VERSION: 9.9.8
 
   # Must be in the format YY.MM.0.###### where ###### is the build number
   COMMUNITY_BUILD_VERSION: 25.1.0.102122
@@ -67,9 +69,9 @@ multi_arch_build_gcp_staging_task:
   only_if: $CIRRUS_CRON == 'nightly-mend-scan' || $TRIGGER == 'PUSH_GCP_STAGING_IMAGES'
   env:
     matrix:
-      - version: 2025.1/datacenter/app
+      - version: 2025/datacenter/app
         STAGING_IMAGE_NAME: ${GCLOUD_STAGING_REGISTRY}/${GCLOUD_STAGING_PRODUCT_NAME}
-      - version: 2025.1/datacenter/search
+      - version: 2025/datacenter/search
         STAGING_IMAGE_NAME: ${GCLOUD_STAGING_REGISTRY}/${GCLOUD_STAGING_PRODUCT_NAME}/sonarqube-dce-search
   ec2_instance:
     <<: *VM_TEMPLATE
@@ -107,29 +109,43 @@ multi_arch_build_9_x_task:
   env:
     matrix:
       - version: 9/community
-        tag: $CURRENT_LTA_VERSION-community
+        tag: $PREVIOUS_LTA_VERSION-community
       - version: 9/developer
-        tag: $CURRENT_LTA_VERSION-developer
+        tag: $PREVIOUS_LTA_VERSION-developer
       - version: 9/enterprise
-        tag: $CURRENT_LTA_VERSION-enterprise
+        tag: $PREVIOUS_LTA_VERSION-enterprise
       - version: 9/datacenter/app
-        tag: $CURRENT_LTA_VERSION-datacenter-app
+        tag: $PREVIOUS_LTA_VERSION-datacenter-app
       - version: 9/datacenter/search
+        tag: $PREVIOUS_LTA_VERSION-datacenter-search
+
+multi_arch_build_2025_1_task:
+  <<: *multi_arch_build_task_template
+  skip: "!changesInclude('2025.1/**/*') && !changesInclude('.cirrus/*')"
+  env:
+    matrix:
+      - version: 2025.1/developer
+        tag: $CURRENT_LTA_VERSION-developer
+      - version: 2025.1/enterprise
+        tag: $CURRENT_LTA_VERSION-enterprise
+      - version: 2025.1/datacenter/app
+        tag: $CURRENT_LTA_VERSION-datacenter-app
+      - version: 2025.1/datacenter/search
         tag: $CURRENT_LTA_VERSION-datacenter-search
 
 multi_arch_build_2025_x_task:
   <<: *multi_arch_build_task_template
   alias: multi_arch_build_sonarqube_server
-  skip: "!changesInclude('2025.1/**/*') && !changesInclude('.cirrus/*')"
+  skip: "!changesInclude('2025/**/*') && !changesInclude('.cirrus/*')"
   env:
     matrix:
-      - version: 2025.1/developer
+      - version: 2025/developer
         tag: ${NEXT_VERSION}-developer
-      - version: 2025.1/enterprise
+      - version: 2025/enterprise
         tag: ${NEXT_VERSION}-enterprise
-      - version: 2025.1/datacenter/app
+      - version: 2025/datacenter/app
         tag: ${NEXT_VERSION}-datacenter-app
-      - version: 2025.1/datacenter/search
+      - version: 2025/datacenter/search
         tag: ${NEXT_VERSION}-datacenter-search
 
 multi_arch_build_community_build_task:
@@ -169,6 +185,7 @@ public_scan_task:
     WS_WSS_URL: https://saas-eu.whitesourcesoftware.com/agent
     matrix:
       - tag: $CURRENT_LTA_VERSION-datacenter-app
+      - tag: $PREVIOUS_LTA_VERSION-datacenter-app
       - tag: $CURRENT_VERSION-datacenter-app
   ec2_instance:
     <<: *CI_SCANNER
@@ -208,14 +225,36 @@ multi_arch_test_9_x_task:
   env:
     matrix:
       - test_name: docker
-        tag: $CURRENT_LTA_VERSION-community
+        tag: $PREVIOUS_LTA_VERSION-community
+      - test_name: docker
+        tag: $PREVIOUS_LTA_VERSION-developer
+      - test_name: docker
+        tag: $PREVIOUS_LTA_VERSION-enterprise
+      - test_name: docker-compose
+        tag: $PREVIOUS_LTA_VERSION-datacenter
+  depends_on: multi_arch_build_9_x
+
+multi_arch_test_2025_1_task:
+  <<: *multi_arch_test_task_template
+  skip: "!changesInclude('2025.1/**/*') && !changesInclude('.cirrus/*')"
+  matrix:
+    - env:
+        CIRRUS_ARCH: arm64
+        INSTANCE_TYPE: t4g.large
+        AMI_NAME: docker-builder-arm64-v*
+    - env:
+        CIRRUS_ARCH: amd64
+        INSTANCE_TYPE: t3.large
+        AMI_NAME: docker-builder-v*
+  env:
+    matrix:
       - test_name: docker
         tag: $CURRENT_LTA_VERSION-developer
       - test_name: docker
         tag: $CURRENT_LTA_VERSION-enterprise
       - test_name: docker-compose
         tag: $CURRENT_LTA_VERSION-datacenter
-  depends_on: multi_arch_build_9_x
+  depends_on: multi_arch_build_2025_1
 
 multi_arch_test_2025_x_task:
   <<: *multi_arch_test_task_template
diff --git a/2025/datacenter/app/Dockerfile b/2025/datacenter/app/Dockerfile
new file mode 100644
index 000000000..db6767530
--- /dev/null
+++ b/2025/datacenter/app/Dockerfile
@@ -0,0 +1,78 @@
+FROM eclipse-temurin:17-jre-noble
+
+LABEL io.k8s.description="SonarQube Server is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=false
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
+LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
+LABEL com.googleapis.cloudmarketplace.product.service.name=services/sonarqube-dce
+
+ENV LANG='en_US.UTF-8' \
+    LANGUAGE='en_US:en' \
+    LC_ALL='en_US.UTF-8'
+
+#
+# SonarQube setup
+#
+ARG SONARQUBE_VERSION=2025.1.0.102418
+ARG SONARQUBE_ZIP_URL=https://binaries.sonarsource.com/CommercialDistribution/sonarqube-datacenter/sonarqube-datacenter-${SONARQUBE_VERSION}.zip
+ENV DOCKER_RUNNING="true" \
+    JAVA_HOME='/opt/java/openjdk' \
+    SONARQUBE_HOME=/opt/sonarqube \
+    SONAR_VERSION="${SONARQUBE_VERSION}" \
+    SQ_DATA_DIR="/opt/sonarqube/data" \
+    SQ_EXTENSIONS_DIR="/opt/sonarqube/extensions" \
+    SQ_LOGS_DIR="/opt/sonarqube/logs" \
+    SQ_TEMP_DIR="/opt/sonarqube/temp" \
+    SONAR_CLUSTER_NODE_TYPE="application" \
+    SONAR_CLUSTER_ENABLED="true"
+
+RUN set -eux; \
+    deluser ubuntu; \
+    useradd --system --uid 1000 --gid 0 sonarqube; \
+    apt-get update; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        iproute2 \
+        unzip; \
+    echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
+    sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
+    # pub   2048R/D26468DE 2015-05-25
+    #       Key fingerprint = F118 2E81 C792 9289 21DB  CAB4 CFCA 4A29 D264 68DE
+    # uid                  sonarsource_deployer (Sonarsource Deployer) <infra@sonarsource.com>
+    # sub   2048R/06855C1D 2015-05-25
+    for server in $(shuf -e hkps://keys.openpgp.org \
+                            hkps://keyserver.ubuntu.com) ; do \
+        gpg --batch --keyserver "${server}" --recv-keys 679F1EE92B19609DE816FDE81DB198F93525EC1A && break || : ; \
+    done; \
+    mkdir --parents /opt; \
+    cd /opt; \
+    curl --fail --location --output sonarqube.zip --silent --show-error "${SONARQUBE_ZIP_URL}"; \
+    curl --fail --location --output sonarqube.zip.asc --silent --show-error "${SONARQUBE_ZIP_URL}.asc"; \
+    gpg --batch --verify sonarqube.zip.asc sonarqube.zip; \
+    unzip -q sonarqube.zip; \
+    mv "sonarqube-${SONARQUBE_VERSION}" sonarqube; \
+    rm sonarqube.zip*; \
+    rm -rf ${SONARQUBE_HOME}/bin/*; \
+    ln -s "${SONARQUBE_HOME}/lib/sonar-application-${SONARQUBE_VERSION}.jar" "${SONARQUBE_HOME}/lib/sonarqube.jar"; \
+    chmod -R 550 ${SONARQUBE_HOME}; \
+    chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
+    apt-get remove -y gnupg unzip; \
+    rm -rf /var/lib/apt/lists/*;
+
+VOLUME ["${SQ_DATA_DIR}", "${SQ_EXTENSIONS_DIR}", "${SQ_LOGS_DIR}", "${SQ_TEMP_DIR}"]
+
+COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/
+
+WORKDIR ${SONARQUBE_HOME}
+EXPOSE 9000
+
+USER sonarqube
+STOPSIGNAL SIGINT
+
+ENTRYPOINT ["/opt/sonarqube/docker/run.sh"]
+CMD ["/opt/sonarqube/docker/sonar.sh"]
diff --git a/2025/datacenter/app/run.sh b/2025/datacenter/app/run.sh
new file mode 100755
index 000000000..31c536914
--- /dev/null
+++ b/2025/datacenter/app/run.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+HOSTNAME=$(hostname)
+IP=$(ip -4 address show scope global | grep inet | awk '{ print $2 }' | head -n 1 | cut -d \/ -f 1)
+
+declare -a sq_opts=()
+set_prop() {
+  if [ "$2" ]; then
+    sq_opts+=("-D$1=$2")
+  fi
+}
+
+# if nothing is passed, assume we want to run sonarqube server
+if [ "$#" == 0 ]; then
+  set -- /opt/sonarqube/docker/sonar.sh
+fi
+
+# if first arg looks like a flag, assume we want to run sonarqube server with flags
+if [ "${1:0:1}" = '-' ]; then
+    set -- /opt/sonarqube/docker/sonar.sh "$@"
+fi
+
+if [[ "$1" = '/opt/sonarqube/docker/sonar.sh' ]]; then
+
+    #
+    # Change log path to ensure every app node can write in their own directory
+    # This resolves a cluttered log on docker-compose with scale > 1
+    #
+    if [ -z "${SONAR_PATH_LOGS:-}" ]
+    then
+        SONAR_CLUSTER_PATH_LOGS="logs/${HOSTNAME}"
+        mkdir -p ${SONARQUBE_HOME}/${SONAR_CLUSTER_PATH_LOGS}
+    else
+        SONAR_CLUSTER_PATH_LOGS="${SONAR_PATH_LOGS}/${HOSTNAME}"
+        mkdir -p ${SONAR_CLUSTER_PATH_LOGS}}
+    fi
+
+    #
+    # Set mandatory properties
+    #
+    set_prop "sonar.cluster.node.host" "${IP:-}"
+    set_prop "sonar.path.logs" "${SONAR_CLUSTER_PATH_LOGS:-}"
+    if [ ${#sq_opts[@]} -ne 0 ]; then
+        set -- "$@" "${sq_opts[@]}"
+    fi
+fi
+
+exec "$@"
diff --git a/2025/datacenter/app/sonar.sh b/2025/datacenter/app/sonar.sh
new file mode 100755
index 000000000..765ff8c50
--- /dev/null
+++ b/2025/datacenter/app/sonar.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# JVM args needed for hazelcast
+exec /opt/java/openjdk/bin/java --add-exports=java.base/jdk.internal.ref=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.management/sun.management=ALL-UNNAMED --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED -jar lib/sonar-application-"${SONAR_VERSION}".jar -Dsonar.log.console=true "$@"
diff --git a/2025/datacenter/search/Dockerfile b/2025/datacenter/search/Dockerfile
new file mode 100644
index 000000000..42865517e
--- /dev/null
+++ b/2025/datacenter/search/Dockerfile
@@ -0,0 +1,81 @@
+FROM eclipse-temurin:17-jre-noble
+
+LABEL io.k8s.description="SonarQube Server is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=false
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
+LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
+LABEL com.googleapis.cloudmarketplace.product.service.name=services/sonarqube-dce
+
+ENV LANG='en_US.UTF-8' \
+    LANGUAGE='en_US:en' \
+    LC_ALL='en_US.UTF-8'
+
+#
+# SonarQube setup
+#
+ARG SONARQUBE_VERSION=2025.1.0.102418
+ARG SONARQUBE_ZIP_URL=https://binaries.sonarsource.com/CommercialDistribution/sonarqube-datacenter/sonarqube-datacenter-${SONARQUBE_VERSION}.zip
+ENV DOCKER_RUNNING="true" \
+    JAVA_HOME='/opt/java/openjdk' \
+    SONARQUBE_HOME=/opt/sonarqube \
+    SONAR_VERSION="${SONARQUBE_VERSION}" \
+    SQ_DATA_DIR="/opt/sonarqube/data" \
+    SQ_EXTENSIONS_DIR="/opt/sonarqube/extensions" \
+    SQ_LOGS_DIR="/opt/sonarqube/logs" \
+    SQ_TEMP_DIR="/opt/sonarqube/temp" \
+    SONAR_CLUSTER_NODE_TYPE="search" \
+    SONAR_CLUSTER_ENABLED="true"
+
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
+RUN set -eux; \
+    deluser ubuntu; \
+    useradd --system --uid 1000 --gid 0 sonarqube; \
+    apt-get update; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        iproute2 \
+        unzip; \
+    echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
+    sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
+    # pub   2048R/D26468DE 2015-05-25
+    #       Key fingerprint = F118 2E81 C792 9289 21DB  CAB4 CFCA 4A29 D264 68DE
+    # uid                  sonarsource_deployer (Sonarsource Deployer) <infra@sonarsource.com>
+    # sub   2048R/06855C1D 2015-05-25
+    for server in $(shuf -e hkps://keys.openpgp.org \
+                            hkps://keyserver.ubuntu.com) ; do \
+        gpg --batch --keyserver "${server}" --recv-keys 679F1EE92B19609DE816FDE81DB198F93525EC1A && break || : ; \
+    done; \
+    mkdir --parents /opt; \
+    cd /opt; \
+    curl --fail --location --output sonarqube.zip --silent --show-error "${SONARQUBE_ZIP_URL}"; \
+    curl --fail --location --output sonarqube.zip.asc --silent --show-error "${SONARQUBE_ZIP_URL}.asc"; \
+    gpg --batch --verify sonarqube.zip.asc sonarqube.zip; \
+    unzip -q sonarqube.zip; \
+    mv "sonarqube-${SONARQUBE_VERSION}" sonarqube; \
+    rm sonarqube.zip*; \
+    rm -rf ${SONARQUBE_HOME}/bin/*; \
+    ln -s "${SONARQUBE_HOME}/lib/sonar-application-${SONARQUBE_VERSION}.jar" "${SONARQUBE_HOME}/lib/sonarqube.jar"; \
+    chmod -R 550 ${SONARQUBE_HOME}; \
+    chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
+    apt-get remove -y gnupg unzip curl; \
+    rm -rf /var/lib/apt/lists/*;
+
+VOLUME ["${SQ_DATA_DIR}", "${SQ_EXTENSIONS_DIR}", "${SQ_LOGS_DIR}", "${SQ_TEMP_DIR}"]
+
+COPY run.sh sonar.sh ${SONARQUBE_HOME}/docker/
+
+WORKDIR ${SONARQUBE_HOME}
+EXPOSE 9000
+
+USER sonarqube
+STOPSIGNAL SIGINT
+
+ENTRYPOINT ["/opt/sonarqube/docker/run.sh"]
+CMD ["/opt/sonarqube/docker/sonar.sh"]
diff --git a/2025/datacenter/search/run.sh b/2025/datacenter/search/run.sh
new file mode 100755
index 000000000..e517e3f59
--- /dev/null
+++ b/2025/datacenter/search/run.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+HOSTNAME=$(hostname)
+IP=$(ip -4 address show scope global | grep inet | awk '{ print $2 }' | head -n 1 | cut -d \/ -f 1)
+
+declare -a sq_opts=()
+set_prop() {
+  if [ "$2" ]; then
+    sq_opts+=("-D$1=$2")
+  fi
+}
+
+# if nothing is passed, assume we want to run sonarqube server
+if [ "$#" == 0 ]; then
+  set -- /opt/sonarqube/docker/sonar.sh
+fi
+
+# if first arg looks like a flag, assume we want to run sonarqube server with flags
+if [ "${1:0:1}" = '-' ]; then
+    set -- /opt/sonarqube/docker/sonar.sh "$@"
+fi
+
+if [[ "$1" = '/opt/sonarqube/docker/sonar.sh' ]]; then
+
+    #
+    # Set mandatory properties
+    #
+    set_prop "sonar.cluster.node.search.host" "${IP:-}"
+    set_prop "sonar.cluster.node.es.host" "${IP:-}"
+
+    if [ ${#sq_opts[@]} -ne 0 ]; then
+        set -- "$@" "${sq_opts[@]}"
+    fi
+fi
+
+exec "$@"
diff --git a/2025/datacenter/search/sonar.sh b/2025/datacenter/search/sonar.sh
new file mode 100755
index 000000000..765ff8c50
--- /dev/null
+++ b/2025/datacenter/search/sonar.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+# JVM args needed for hazelcast
+exec /opt/java/openjdk/bin/java --add-exports=java.base/jdk.internal.ref=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.management/sun.management=ALL-UNNAMED --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED -jar lib/sonar-application-"${SONAR_VERSION}".jar -Dsonar.log.console=true "$@"
diff --git a/2025/developer/Dockerfile b/2025/developer/Dockerfile
new file mode 100644
index 000000000..7b2dbe62b
--- /dev/null
+++ b/2025/developer/Dockerfile
@@ -0,0 +1,76 @@
+FROM eclipse-temurin:17-jre-noble
+
+LABEL io.k8s.description="SonarQube Server is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=true
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
+LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
+
+ENV LANG='en_US.UTF-8' \
+    LANGUAGE='en_US:en' \
+    LC_ALL='en_US.UTF-8'
+
+#
+# SonarQube setup
+#
+ARG SONARQUBE_VERSION=2025.1.0.102418
+ARG SONARQUBE_ZIP_URL=https://binaries.sonarsource.com/CommercialDistribution/sonarqube-developer/sonarqube-developer-${SONARQUBE_VERSION}.zip
+ENV DOCKER_RUNNING="true" \
+    JAVA_HOME='/opt/java/openjdk' \
+    SONARQUBE_HOME=/opt/sonarqube \
+    SONAR_VERSION="${SONARQUBE_VERSION}" \
+    SQ_DATA_DIR="/opt/sonarqube/data" \
+    SQ_EXTENSIONS_DIR="/opt/sonarqube/extensions" \
+    SQ_LOGS_DIR="/opt/sonarqube/logs" \
+    SQ_TEMP_DIR="/opt/sonarqube/temp"
+
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
+RUN set -eux; \
+    deluser ubuntu; \
+    useradd --system --uid 1000 --gid 0 sonarqube; \
+    apt-get update; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        unzip; \
+    echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
+    sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
+    # pub   2048R/D26468DE 2015-05-25
+    #       Key fingerprint = F118 2E81 C792 9289 21DB  CAB4 CFCA 4A29 D264 68DE
+    # uid                  sonarsource_deployer (Sonarsource Deployer) <infra@sonarsource.com>
+    # sub   2048R/06855C1D 2015-05-25
+    for server in $(shuf -e hkps://keys.openpgp.org \
+                            hkps://keyserver.ubuntu.com) ; do \
+        gpg --batch --keyserver "${server}" --recv-keys 679F1EE92B19609DE816FDE81DB198F93525EC1A && break || : ; \
+    done; \
+    mkdir --parents /opt; \
+    cd /opt; \
+    curl --fail --location --output sonarqube.zip --silent --show-error "${SONARQUBE_ZIP_URL}"; \
+    curl --fail --location --output sonarqube.zip.asc --silent --show-error "${SONARQUBE_ZIP_URL}.asc"; \
+    gpg --batch --verify sonarqube.zip.asc sonarqube.zip; \
+    unzip -q sonarqube.zip; \
+    mv "sonarqube-${SONARQUBE_VERSION}" sonarqube; \
+    rm sonarqube.zip*; \
+    rm -rf ${SONARQUBE_HOME}/bin/*; \
+    ln -s "${SONARQUBE_HOME}/lib/sonar-application-${SONARQUBE_VERSION}.jar" "${SONARQUBE_HOME}/lib/sonarqube.jar"; \
+    chmod -R 550 ${SONARQUBE_HOME}; \
+    chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
+    apt-get remove -y gnupg unzip; \
+    rm -rf /var/lib/apt/lists/*;
+
+VOLUME ["${SQ_DATA_DIR}", "${SQ_EXTENSIONS_DIR}", "${SQ_LOGS_DIR}", "${SQ_TEMP_DIR}"]
+
+COPY entrypoint.sh ${SONARQUBE_HOME}/docker/
+
+WORKDIR ${SONARQUBE_HOME}
+EXPOSE 9000
+
+USER sonarqube
+STOPSIGNAL SIGINT
+
+ENTRYPOINT ["/opt/sonarqube/docker/entrypoint.sh"]
diff --git a/2025/developer/entrypoint.sh b/2025/developer/entrypoint.sh
new file mode 100755
index 000000000..75ecc8d07
--- /dev/null
+++ b/2025/developer/entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+DEFAULT_CMD=('/opt/java/openjdk/bin/java' '-jar' 'lib/sonarqube.jar' '-Dsonar.log.console=true')
+
+# this if will check if the first argument is a flag
+# but only works if all arguments require a hyphenated flag
+# -v; -SL; -f arg; etc will work, but not arg1 arg2
+if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
+    set -- "${DEFAULT_CMD[@]}" "$@"
+fi
+
+exec "$@"
diff --git a/2025/enterprise/Dockerfile b/2025/enterprise/Dockerfile
new file mode 100644
index 000000000..7f21a128d
--- /dev/null
+++ b/2025/enterprise/Dockerfile
@@ -0,0 +1,76 @@
+FROM eclipse-temurin:17-jre-noble
+
+LABEL io.k8s.description="SonarQube Server is a self-managed, automatic code review tool that systematically helps you deliver Clean Code."
+LABEL io.openshift.min-cpu=400m
+LABEL io.openshift.min-memory=2048M
+LABEL io.openshift.non-scalable=true
+LABEL io.openshift.tags=sonarqube,static-code-analysis,code-quality,clean-code
+LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
+
+ENV LANG='en_US.UTF-8' \
+    LANGUAGE='en_US:en' \
+    LC_ALL='en_US.UTF-8'
+
+#
+# SonarQube setup
+#
+ARG SONARQUBE_VERSION=2025.1.0.102418
+ARG SONARQUBE_ZIP_URL=https://binaries.sonarsource.com/CommercialDistribution/sonarqube-enterprise/sonarqube-enterprise-${SONARQUBE_VERSION}.zip
+ENV DOCKER_RUNNING="true" \
+    JAVA_HOME='/opt/java/openjdk' \
+    SONARQUBE_HOME=/opt/sonarqube \
+    SONAR_VERSION="${SONARQUBE_VERSION}" \
+    SQ_DATA_DIR="/opt/sonarqube/data" \
+    SQ_EXTENSIONS_DIR="/opt/sonarqube/extensions" \
+    SQ_LOGS_DIR="/opt/sonarqube/logs" \
+    SQ_TEMP_DIR="/opt/sonarqube/temp"
+
+# Separate stage to use variable expansion
+ENV ES_TMPDIR="${SQ_TEMP_DIR}"
+
+RUN set -eux; \
+    deluser ubuntu; \
+    useradd --system --uid 1000 --gid 0 sonarqube; \
+    apt-get update; \
+    apt-get --no-install-recommends -y install \
+        bash \
+        curl \
+        fonts-dejavu \
+        gnupg \
+        unzip; \
+    echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
+    sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
+    # pub   2048R/D26468DE 2015-05-25
+    #       Key fingerprint = F118 2E81 C792 9289 21DB  CAB4 CFCA 4A29 D264 68DE
+    # uid                  sonarsource_deployer (Sonarsource Deployer) <infra@sonarsource.com>
+    # sub   2048R/06855C1D 2015-05-25
+    for server in $(shuf -e hkps://keys.openpgp.org \
+                            hkps://keyserver.ubuntu.com) ; do \
+        gpg --batch --keyserver "${server}" --recv-keys 679F1EE92B19609DE816FDE81DB198F93525EC1A && break || : ; \
+    done; \
+    mkdir --parents /opt; \
+    cd /opt; \
+    curl --fail --location --output sonarqube.zip --silent --show-error "${SONARQUBE_ZIP_URL}"; \
+    curl --fail --location --output sonarqube.zip.asc --silent --show-error "${SONARQUBE_ZIP_URL}.asc"; \
+    gpg --batch --verify sonarqube.zip.asc sonarqube.zip; \
+    unzip -q sonarqube.zip; \
+    mv "sonarqube-${SONARQUBE_VERSION}" sonarqube; \
+    rm sonarqube.zip*; \
+    rm -rf ${SONARQUBE_HOME}/bin/*; \
+    ln -s "${SONARQUBE_HOME}/lib/sonar-application-${SONARQUBE_VERSION}.jar" "${SONARQUBE_HOME}/lib/sonarqube.jar"; \
+    chmod -R 550 ${SONARQUBE_HOME}; \
+    chmod -R 770 "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
+    apt-get remove -y gnupg unzip; \
+    rm -rf /var/lib/apt/lists/*;
+
+VOLUME ["${SQ_DATA_DIR}", "${SQ_EXTENSIONS_DIR}", "${SQ_LOGS_DIR}", "${SQ_TEMP_DIR}"]
+
+COPY entrypoint.sh ${SONARQUBE_HOME}/docker/
+
+WORKDIR ${SONARQUBE_HOME}
+EXPOSE 9000
+
+USER sonarqube
+STOPSIGNAL SIGINT
+
+ENTRYPOINT ["/opt/sonarqube/docker/entrypoint.sh"]
diff --git a/2025/enterprise/entrypoint.sh b/2025/enterprise/entrypoint.sh
new file mode 100755
index 000000000..75ecc8d07
--- /dev/null
+++ b/2025/enterprise/entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+DEFAULT_CMD=('/opt/java/openjdk/bin/java' '-jar' 'lib/sonarqube.jar' '-Dsonar.log.console=true')
+
+# this if will check if the first argument is a flag
+# but only works if all arguments require a hyphenated flag
+# -v; -SL; -f arg; etc will work, but not arg1 arg2
+if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
+    set -- "${DEFAULT_CMD[@]}" "$@"
+fi
+
+exec "$@"