diff --git a/apps/sonar/apps_v1_StatefulSet_sonar-sonarqube.yaml b/apps/sonar/apps_v1_StatefulSet_sonar-sonarqube.yaml
deleted file mode 100644
index 62577e4..0000000
--- a/apps/sonar/apps_v1_StatefulSet_sonar-sonarqube.yaml
+++ /dev/null
@@ -1,302 +0,0 @@
-# Source: sonarqube/templates/sonarqube-sts.yaml
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: sonar-sonarqube
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-    app.kubernetes.io/name: sonarqube-sonar-sonarqube
-    app.kubernetes.io/instance: sonar
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/part-of: sonarqube
-    app.kubernetes.io/component: sonar-sonarqube
-    app.kubernetes.io/version: "10.5.1-community"
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  serviceName: sonar-sonarqube
-  selector:
-    matchLabels:
-      app: sonarqube
-      release: sonar
-  template:
-    metadata:
-      labels:
-        app: sonarqube
-        release: sonar
-      annotations:
-        checksum/init-sysctl: f024654d224568f7d00f522ab1f651e593efb55ee745e9624beec68996a4458d
-        checksum/init-fs: 4c8e59703fd03b0281f452e07eb3f3bdab1150a196f823234e641aaa2afb0253
-        checksum/plugins: 4e5baae46155e41236fcbdf85ea8b9ba3358994284bc26fb45d44a728d2b5c8e
-        checksum/config: 8dfa24e99816e4a8762c59197f8f41e53f8517b2f62d8839b7464952f77ad240
-        checksum/secret: 11c9bb7cdad024fc7971937b62d5245054c1091fc798528488974ef4bd5b7255
-        checksum/prometheus-config: 8b558b466ef4f60ab41a25ee83bb1cd6798a7c51aea6c557c75718f8b0527a61
-        checksum/prometheus-ce-config: 6af690da3580e26dbbfb7d1eea66284f1f52b2cff5db113b8acad5cdb87f4772
-    spec:
-      automountServiceAccountToken: false      
-      securityContext:
-        fsGroup: 0
-      initContainers:
-        - name: "wait-for-db"
-          image: sonarqube:10.5.1-community
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            runAsGroup: 0
-            runAsNonRoot: true
-            runAsUser: 1000
-            seccompProfile:
-              type: RuntimeDefault
-          resources:
-            {}
-          command: ["/bin/bash", "-c"]
-          args: ['set -o pipefail;for i in {1..200};do (echo > /dev/tcp/sonar-postgresql/5432) && exit 0; sleep 2;done; exit 1']
-        - name: init-sysctl
-          image: sonarqube:10.5.1-community
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true
-            runAsUser: 0
-          resources:
-            {}
-          command: ["/bin/bash",
-            "-e",
-            "/tmp/scripts/init_sysctl.sh"]
-          volumeMounts:
-            - name: init-sysctl
-              mountPath: /tmp/scripts/
-          env:
-            - name: SONAR_WEB_CONTEXT
-              value: /
-            - name: SONAR_WEB_JAVAOPTS
-              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
-            - name: SONAR_CE_JAVAOPTS
-              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
-        - name: inject-prometheus-exporter
-          image: sonarqube:10.5.1-community
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            runAsGroup: 0
-            runAsNonRoot: true
-            runAsUser: 1000
-            seccompProfile:
-              type: RuntimeDefault
-          resources:
-            {}
-          command: ["/bin/sh","-c"]
-          args: ["curl -s 'https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.17.2/jmx_prometheus_javaagent-0.17.2.jar'  --output /data/jmx_prometheus_javaagent.jar -v"]
-          volumeMounts:
-            - mountPath: /data
-              name: sonarqube
-              subPath: data
-          env:
-            - name: http_proxy
-              value: 
-            - name: https_proxy
-              value: 
-            - name: no_proxy
-              value: 
-            - name: SONAR_WEB_CONTEXT
-              value: /
-            - name: SONAR_WEB_JAVAOPTS
-              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
-            - name: SONAR_CE_JAVAOPTS
-              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
-        - name: install-plugins
-          image: sonarqube:10.5.1-community
-          imagePullPolicy: IfNotPresent
-          command: ["sh",
-            "-e",
-            "/tmp/scripts/install_plugins.sh"]
-          volumeMounts:
-            - mountPath: /opt/sonarqube/extensions/plugins
-              name: sonarqube
-              subPath: extensions/plugins
-            - name: install-plugins
-              mountPath: /tmp/scripts/
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            runAsGroup: 0
-            runAsNonRoot: true
-            runAsUser: 1000
-            seccompProfile:
-              type: RuntimeDefault
-          resources:
-            {}
-          env:
-            - name: http_proxy
-              value: 
-            - name: https_proxy
-              value: 
-            - name: no_proxy
-              value: 
-            - name: SONAR_WEB_CONTEXT
-              value: /
-            - name: SONAR_WEB_JAVAOPTS
-              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
-            - name: SONAR_CE_JAVAOPTS
-              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
-      containers:
-        - name: sonarqube
-          image: sonarqube:10.5.1-community
-          imagePullPolicy: IfNotPresent
-          ports:
-            - name: http
-              containerPort: 9000
-              protocol: TCP
-            - name: monitoring-web
-              containerPort: 8000
-              protocol: TCP
-            - name: monitoring-ce
-              containerPort: 8001
-              protocol: TCP
-          resources:
-            limits:
-              cpu: 800m
-              ephemeral-storage: 512000M
-              memory: 6144M
-            requests:
-              cpu: 400m
-              ephemeral-storage: 1536M
-              memory: 2048M
-          env:
-            - name: SONAR_WEB_CONTEXT
-              value: /
-            - name: SONAR_WEB_JAVAOPTS
-              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
-            - name: SONAR_CE_JAVAOPTS
-              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
-            - name: SONAR_HELM_CHART_VERSION
-              value: 10.5.1_2816
-            - name: SONAR_JDBC_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: sonar-postgresql
-                  key: postgresql-password
-            - name: SONAR_WEB_SYSTEMPASSCODE
-              valueFrom:
-                secretKeyRef:
-                  name: sonar-sonarqube-monitoring-passcode
-                  key: SONAR_WEB_SYSTEMPASSCODE
-          envFrom:
-            - configMapRef:
-                name: sonar-sonarqube-jdbc-config
-          livenessProbe:
-            exec:
-              command:
-              - sh
-              - -c
-              - |
-                wget --no-proxy --quiet -O /dev/null --timeout=1 --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://localhost:9000/api/system/liveness"
-            initialDelaySeconds: 60
-            periodSeconds: 30
-            failureThreshold: 6
-            timeoutSeconds: 1
-          readinessProbe:
-            exec:
-              command:
-              - sh
-              - -c
-              - |
-                #!/bin/bash
-                # A Sonarqube container is considered ready if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING
-                # status about migration are added to prevent the node to be kill while sonarqube is upgrading the database.
-                if wget --no-proxy -qO- http://localhost:9000/api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then
-                	exit 0
-                fi
-                exit 1
-            initialDelaySeconds: 60
-            periodSeconds: 30
-            failureThreshold: 6
-            timeoutSeconds: 1
-          startupProbe:
-            httpGet:
-              scheme: HTTP
-              path: /api/system/status
-              port: http
-            initialDelaySeconds: 30
-            periodSeconds: 10
-            failureThreshold: 24
-            timeoutSeconds: 1
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            runAsGroup: 0
-            runAsNonRoot: true
-            runAsUser: 1000
-            seccompProfile:
-              type: RuntimeDefault
-          volumeMounts:
-            - mountPath: /opt/sonarqube/data
-              name: sonarqube
-              subPath: data
-            - mountPath: /opt/sonarqube/extensions/plugins
-              name: sonarqube
-              subPath: extensions/plugins
-            - mountPath: /opt/sonarqube/temp
-              name: sonarqube
-              subPath: temp
-            - mountPath: /opt/sonarqube/logs
-              name: sonarqube
-              subPath: logs
-            - mountPath: /tmp
-              name: tmp-dir
-            - mountPath: /opt/sonarqube/conf/prometheus-config.yaml
-              subPath: prometheus-config.yaml
-              name: prometheus-config
-            - mountPath: /opt/sonarqube/conf/prometheus-ce-config.yaml
-              subPath: prometheus-ce-config.yaml
-              name: prometheus-ce-config
-      serviceAccountName: default
-      volumes:
-      - name: init-sysctl
-        configMap:
-          name: sonar-sonarqube-init-sysctl
-          items:
-            - key: init_sysctl.sh
-              path: init_sysctl.sh
-      - name: init-fs
-        configMap:
-          name: sonar-sonarqube-init-fs
-          items:
-            - key: init_fs.sh
-              path: init_fs.sh
-      - name: install-plugins
-        configMap:
-          name: sonar-sonarqube-install-plugins
-          items:
-            - key: install_plugins.sh
-              path: install_plugins.sh
-      - name: prometheus-config
-        configMap:
-          name: sonar-sonarqube-prometheus-config
-          items:
-            - key: prometheus-config.yaml
-              path: prometheus-config.yaml
-      - name: prometheus-ce-config
-        configMap:
-          name: sonar-sonarqube-prometheus-ce-config
-          items:
-            - key: prometheus-ce-config.yaml
-              path: prometheus-ce-config.yaml
-      - name: sonarqube
-        emptyDir:
-          {}
-      - name : tmp-dir
-        emptyDir:
-          {}
\ No newline at end of file
diff --git a/apps/sonar/common.tf b/apps/sonar/common.tf
new file mode 100644
index 0000000..561672c
--- /dev/null
+++ b/apps/sonar/common.tf
@@ -0,0 +1,22 @@
+locals {
+  core_labels = {
+    "app.kubernetes.io/name" = var.component
+    "app.kubernetes.io/instance" = var.instance
+  }
+  common_labels = merge({
+    "vynil.solidite.fr/owner-name" = var.instance
+    "vynil.solidite.fr/owner-namespace" = var.namespace
+    "vynil.solidite.fr/owner-category" = var.category
+    "vynil.solidite.fr/owner-component" = var.component
+    "app.kubernetes.io/managed-by" = "vynil"
+  },local.core_labels)
+  sonar_labels = merge({
+    "app.kubernetes.io/componant" = "sonarQube"
+  },local.core_labels)
+  sonar_all_labels = merge({
+    "app.kubernetes.io/componant" = "sonarQube"
+  },local.common_labels)
+  pg_labels = merge(local.common_labels, {
+    "app.kubernetes.io/component" = "pg"
+  })
+}
diff --git a/apps/sonar/index.yaml b/apps/sonar/index.yaml
index 20eea39..a91d3e7 100644
--- a/apps/sonar/index.yaml
+++ b/apps/sonar/index.yaml
@@ -6,6 +6,11 @@ metadata:
   name: sonar
   description: The code quality tool for better code
 options:
+  app_group:
+    default: dev
+    examples:
+    - dev
+    type: string
   domain:
     default: your-company
     examples:
@@ -21,21 +26,21 @@ options:
       sonar:
         pull_policy: IfNotPresent
         registry: docker.io
-        repository: to-be/defined
-        tag: v1.0.0
+        repository: sonarqube
+        tag: 10.5.1-community
     examples:
     - sonar:
         pull_policy: IfNotPresent
         registry: docker.io
-        repository: to-be/defined
-        tag: v1.0.0
+        repository: sonarqube
+        tag: 10.5.1-community
     properties:
       sonar:
         default:
           pull_policy: IfNotPresent
           registry: docker.io
-          repository: to-be/defined
-          tag: v1.0.0
+          repository: sonarqube
+          tag: 10.5.1-community
         properties:
           pull_policy:
             default: IfNotPresent
@@ -48,10 +53,10 @@ options:
             default: docker.io
             type: string
           repository:
-            default: to-be/defined
+            default: sonarqube
             type: string
           tag:
-            default: v1.0.0
+            default: 10.5.1-community
             type: string
         type: object
     type: object
@@ -83,6 +88,86 @@ options:
     items:
       type: string
     type: array
+  postgres:
+    default:
+      replicas: 1
+    examples:
+    - replicas: 1
+    properties:
+      replicas:
+        default: 1
+        type: integer
+    type: object
+  resources:
+    limits:
+      cpu: 800m
+      ephemeral-storage: 512000M
+      memory: 6144M
+    requests:
+      cpu: 400m
+      ephemeral-storage: 1536M
+      memory: 2048M
+  storage:
+    default:
+      postgres:
+        size: 5Gi
+      volume:
+        accessMode: ReadWriteOnce
+        class: ''
+        maxSize: 100Gi
+        size: 10Gi
+        type: Filesystem
+    description: Configure this app storage
+    examples:
+    - postgres:
+        size: 5Gi
+      volume:
+        accessMode: ReadWriteOnce
+        class: ''
+        maxSize: 100Gi
+        size: 10Gi
+        type: Filesystem
+    properties:
+      postgres:
+        default:
+          size: 5Gi
+        properties:
+          size:
+            default: 5Gi
+            type: string
+        type: object
+      volume:
+        default:
+          accessMode: ReadWriteOnce
+          class: ''
+          maxSize: 100Gi
+          size: 10Gi
+          type: Filesystem
+        properties:
+          accessMode:
+            default: ReadWriteOnce
+            enum:
+            - ReadWriteOnce
+            - ReadOnlyMany
+            - ReadWriteMany
+            type: string
+          class:
+            default: ''
+            type: string
+          maxSize:
+            default: 100Gi
+            type: string
+          size:
+            default: 10Gi
+            type: string
+          type:
+            default: Filesystem
+            enum:
+            - Filesystem
+            - Block
+            type: string
+        type: object
+    type: object
   sub_domain:
     default: sonar
     examples:
diff --git a/apps/sonar/postgresql.tf b/apps/sonar/postgresql.tf
new file mode 100644
index 0000000..2407605
--- /dev/null
+++ b/apps/sonar/postgresql.tf
@@ -0,0 +1,57 @@
+resource "kubectl_manifest" "prj_pg" {
+  yaml_body  = join("", concat([<<-EOF
+    apiVersion: postgresql.cnpg.io/v1
+    kind: Cluster
+    metadata:
+      name: "${var.instance}-${var.component}-pg"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.pg_labels)}
+    spec:
+      instances: ${var.postgres.replicas}
+      imageName: "${var.images.postgresql.registry}/${var.images.postgresql.repository}:${var.images.postgresql.tag}"
+      storage:
+        size: "${var.storage.postgres.size}"
+      bootstrap:
+        initdb:
+          database: "${var.component}"
+          owner: "${var.component}"
+      monitoring:
+        enablePodMonitor: true
+      inheritedMetadata:
+        annotations:
+          "k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
+          "k8up.io/file-extension": ".sql"
+          "k8up.io/backup": "true"
+  EOF
+  ], var.backups.enable&&var.backups.use_barman?[<<-EOF
+      backup:
+        barmanObjectStore:
+          destinationPath: "s3://${var.instance}-${var.namespace}/"
+          endpointURL: "${var.backups.endpoint}/barman"
+          s3Credentials:
+            accessKeyId:
+              name: "${var.backups.secret_name}"
+              key: "${var.backups.key_id_key}"
+            secretAccessKey:
+              name: "${var.backups.secret_name}"
+              key: "${var.backups.secret_key}"
+  EOF
+  ]:[""]))
+}
+
+resource "kubectl_manifest" "prj_pg_backup" {
+  count = var.backups.enable ? 1:0
+  yaml_body  = <<-EOF
+    apiVersion: postgresql.cnpg.io/v1
+    kind: ScheduledBackup
+    metadata:
+      name: "${var.instance}-${var.component}-pg"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.pg_labels)}
+    spec:
+      schedule: "${var.backups.schedule.db}"
+      backupOwnerReference: self
+      cluster:
+        name: "${var.instance}-${var.component}-pg"
+  EOF
+}
diff --git a/apps/sonar/sonar_ConfigMap.tf b/apps/sonar/sonar_ConfigMap.tf
new file mode 100644
index 0000000..a67d5ed
--- /dev/null
+++ b/apps/sonar/sonar_ConfigMap.tf
@@ -0,0 +1,94 @@
+resource "kubectl_manifest" "cm_env" {
+  yaml_body  = <<-EOF
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: "${var.instance}-${var.component}-envs"
+      labels: ${jsonencode(local.sonar_all_labels)}
+      namespace: ${var.namespace}
+    data:
+      SONAR_JDBC_USERNAME: ${var.component}
+      SONAR_JDBC_URL: jdbc:postgresql://${var.instance}-${var.component}-rw.${var.namespace}.svc:5432/${var.component}
+      SONAR_WEB_CONTEXT: /
+      SONAR_WEB_JAVAOPTS: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
+      SONAR_CE_JAVAOPTS:  -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
+EOF
+}
+
+resource "kubectl_manifest" "cm_files" {
+  yaml_body  = <<-EOF
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: "${var.instance}-${var.component}-files"
+      labels: ${jsonencode(local.sonar_all_labels)}
+      namespace: ${var.namespace}
+    data:
+      sonar.properties: |-
+        sonar.telemetry.enable=false
+        sonar.updatecenter.activate=false
+        sonar.auth.saml.enabled=true
+        sonar.auth.saml.applicationId=
+        sonar.auth.saml.providerName=
+        sonar.auth.saml.providerId=
+        sonar.auth.saml.loginUrl=
+        sonar.auth.saml.certificate.secured=
+        sonar.auth.saml.user.login=
+        sonar.auth.saml.user.name=
+        sonar.auth.saml.user.email=
+        sonar.auth.saml.group.name=
+
+      prometheus-ce-config.yaml: |-
+        rules:
+        - pattern: .*
+      prometheus-config.yaml: |-
+        rules:
+        - pattern: .*
+EOF
+}
+
+resource "kubectl_manifest" "cm_scripts" {
+  yaml_body  = join("", concat([<<EOF
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: "${var.instance}-${var.component}-files"
+      labels: ${jsonencode(local.sonar_all_labels)}
+      namespace: ${var.namespace}
+    data:
+      init_sysctl.sh: |-
+        if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
+          sysctl -w vm.max_map_count=524288
+        fi
+        if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
+          sysctl -w fs.file-max=131072
+        fi
+        if [[ "$(ulimit -n)" != "unlimited" ]]; then
+          if [[ "$(ulimit -n)" -lt 131072 ]]; then
+            echo "ulimit -n 131072"
+            ulimit -n 131072
+          fi
+        fi
+        if [[ "$(ulimit -u)" != "unlimited" ]]; then
+          if [[ "$(ulimit -u)" -lt 8192 ]]; then
+            echo "ulimit -u 8192"
+            ulimit -u 8192
+          fi
+        fi
+      init_fs.sh: chown -R 1000:0 /opt/sonarqube
+      install_plugins.sh: |-
+        #!/bin/bash
+        if [ ! -f /data/jmx_prometheus_javaagent.jar ];then
+          curl -s 'https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.17.2/jmx_prometheus_javaagent-0.17.2.jar'  --output /data/jmx_prometheus_javaagent.jar -v
+        fi
+        get_plugin() {
+          file=$(echo $1|sed 's#.*/##')
+          if [ ! -f "$file" ];then
+            curl -fsSLO "$1"
+          fi
+        }
+        cd /opt/sonarqube/extensions/plugins
+EOF
+    ],[for p in var.plugins: "        get_plugin ${p}"]))
+}
+
diff --git a/apps/sonar/sonar_PersistentVolumeClaim.tf b/apps/sonar/sonar_PersistentVolumeClaim.tf
new file mode 100644
index 0000000..2c33411
--- /dev/null
+++ b/apps/sonar/sonar_PersistentVolumeClaim.tf
@@ -0,0 +1,28 @@
+locals {
+  pvc_spec = merge({
+    "accessModes" = [var.storage.volume.accessMode]
+    "volumeMode" = var.storage.volume.type
+    "resources" = {
+      "requests" = {
+        "storage" = "${var.storage.volume.size}"
+      }
+    }
+  }, var.storage.volume.class != "" ?{
+    "storageClassName" = var.storage.volume.class
+  }:{})
+}
+
+resource "kubectl_manifest" "pvc" {
+  ignore_fields = ["spec.resources.requests.storage"]
+  yaml_body  = <<-EOF
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: "${var.component}-${var.instance}"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.common_labels)}
+      annotations:
+        resize.kubesphere.io/storage_limit: "${var.storage.volume.maxSize}"
+    spec: ${jsonencode(local.pvc_spec)}
+  EOF
+}
diff --git a/apps/sonar/sonar_Secret.tf b/apps/sonar/sonar_Secret.tf
new file mode 100644
index 0000000..7ccc241
--- /dev/null
+++ b/apps/sonar/sonar_Secret.tf
@@ -0,0 +1,18 @@
+resource "random_password" "system" {
+  length           = 16
+  special          = false
+}
+
+resource "kubectl_manifest" "secret" {
+  yaml_body  = <<-EOF
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: "${var.instance}-${var.component}"
+      labels: ${jsonencode(local.sonar_all_labels)}
+      namespace: ${var.namespace}
+    type: Opaque
+    stringData:
+      SONAR_WEB_SYSTEMPASSCODE: "${random_password.system.result}"
+EOF
+}
diff --git a/apps/sonar/sonar_Service.tf b/apps/sonar/sonar_Service.tf
new file mode 100644
index 0000000..94124d0
--- /dev/null
+++ b/apps/sonar/sonar_Service.tf
@@ -0,0 +1,62 @@
+locals {
+  dns_name = "${var.sub_domain}.${var.domain_name}"
+  dns_names = [local.dns_name]
+  app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
+  icon              = "icon.svg"
+}
+
+module "service" {
+  source = "git::https://git.solidite.fr/vynil/kydah-modules.git//service"
+  component         = var.component
+  instance          = var.instance
+  namespace         = var.namespace
+  labels            = local.common_labels
+  selector          = local.sonar_labels
+  targets           = ["http"]
+  providers = {
+    kubectl = kubectl
+  }
+}
+
+module "ingress" {
+  source = "git::https://git.solidite.fr/vynil/kydah-modules.git//ingress"
+  component         = ""
+  instance          = var.instance
+  namespace         = var.namespace
+  issuer            = var.issuer
+  ingress_class     = var.ingress_class
+  labels            = local.common_labels
+  dns_names         = local.dns_names
+  middlewares       = [module.forward.middleware]
+  services          = [module.service.default_definition]
+  providers = {
+    kubectl = kubectl
+  }
+}
+
+module "application" {
+  source = "git::https://git.solidite.fr/vynil/kydah-modules.git//application"
+  component         = var.component
+  instance          = var.instance
+  app_group         = var.app_group
+  dns_name          = local.dns_name
+  icon              = local.icon
+  protocol_provider = module.saml.provider-id
+  providers = {
+    authentik = authentik
+  }
+}
+
+module "saml" {
+  source = "git::https://git.solidite.fr/vynil/kydah-modules.git//saml"
+  component         = var.component
+  instance          = var.instance
+  issuer            = "self-sign"
+  dns_names         = local.dns_names
+  namespace         = var.namespace
+  labels            = local.common_labels
+  providers = {
+    kubectl = kubectl
+    authentik = authentik
+  }
+}
diff --git a/apps/sonar/sonar_monitoring.tf b/apps/sonar/sonar_monitoring.tf
new file mode 100644
index 0000000..9fb0f75
--- /dev/null
+++ b/apps/sonar/sonar_monitoring.tf
@@ -0,0 +1,34 @@
+resource "kubectl_manifest" "PodMonitor_sonarqube" {
+  count = var.conditions.have_podmonitors?1:0
+  yaml_body  = <<-EOF
+    apiVersion: monitoring.coreos.com/v1
+    kind: PodMonitor
+    metadata:
+      name: sonarqube
+      namespace: ${var.namespace}
+      labels: ${jsonencode(local.sonar_all_labels)}
+    spec:
+      namespaceSelector:
+        matchNames:
+        - ${var.namespace}
+      selector:
+        matchLabels: ${jsonencode(local.sonar_labels)}
+      podMetricsEndpoints:
+      - port: http
+        path: /api/monitoring/metrics
+        scheme: http
+        interval: 30s
+        bearerTokenSecret:
+          name: ${kubectl_manifest.secret.name}
+          key: SONAR_WEB_SYSTEMPASSCODE
+      - port: monitoring-ce
+        path: /
+        scheme: http
+        interval: 30s
+      - port: monitoring-web
+        path: /
+        scheme: http
+        interval: 30s
+EOF
+}
+
diff --git a/apps/sonar/sonar_workload.tf b/apps/sonar/sonar_workload.tf
new file mode 100644
index 0000000..add4c31
--- /dev/null
+++ b/apps/sonar/sonar_workload.tf
@@ -0,0 +1,196 @@
+resource "kubectl_manifest" "Deployment_sonar-sonarqube" {
+  yaml_body  = <<-EOF
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: "${var.instance}-${var.component}"
+      labels: ${jsonencode(local.sonar_all_labels)}
+      namespace: ${var.namespace}
+    spec:
+      replicas: 1
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels: ${jsonencode(local.sonar_labels)}
+      template:
+        metadata:
+          labels: ${jsonencode(local.sonar_labels)}
+        spec:
+          securityContext:
+            fsGroup: 0
+          initContainers:
+          - name: init-sysctl
+            image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
+            imagePullPolicy: ${var.images.sonar.pull_policy}
+            securityContext:
+              privileged: true
+              runAsUser: 0
+            command: ["/bin/bash","-e","/tmp/scripts/init_sysctl.sh"]
+            volumeMounts:
+            - name: scripts
+              mountPath: /tmp/scripts/
+          - name: wait-for-db
+            image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
+            imagePullPolicy: ${var.images.sonar.pull_policy}
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              runAsGroup: 0
+              runAsNonRoot: true
+              runAsUser: 1000
+              seccompProfile:
+                type: RuntimeDefault
+            command: ["/bin/bash", "-c"]
+            args: ["set -o pipefail;for i in {1..200};do (echo > /dev/tcp/${var.instance}-${var.component}-rw/5432) && exit 0; sleep 2;done; exit 1"]
+          - name: configure
+            image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
+            imagePullPolicy: ${var.images.sonar.pull_policy}
+            command: ["/bin/bash","-e","/tmp/scripts/install_plugins.sh"]
+            volumeMounts:
+            - mountPath: /data
+              name: sonarqube
+              subPath: data
+            - mountPath: /opt/sonarqube/extensions/plugins
+              name: sonarqube
+              subPath: extensions/plugins
+            - name: scripts
+              mountPath: /tmp/scripts/
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              runAsGroup: 0
+              runAsNonRoot: true
+              runAsUser: 1000
+              seccompProfile:
+                type: RuntimeDefault
+            envFrom:
+            - configMapRef:
+                name: ${kubectl_manifest.cm_env.name}
+            env:
+            - name: http_proxy
+              value: null
+            - name: https_proxy
+              value: null
+            - name: no_proxy
+              value: null
+          containers:
+          - name: sonarqube
+            image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
+            imagePullPolicy: ${var.images.sonar.pull_policy}
+            ports:
+            - name: http
+              containerPort: 9000
+              protocol: TCP
+            - name: monitoring-web
+              containerPort: 8000
+              protocol: TCP
+            - name: monitoring-ce
+              containerPort: 8001
+              protocol: TCP
+            resources:
+              limits: ${jsonencode(var.resources.limits)}
+              requests: ${jsonencode(var.resources.requests)}
+            env:
+            - name: SONAR_JDBC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: ${var.instance}-${var.component}-rw.${var.namespace}.svc
+                  key: password
+            envFrom:
+            - secretRef:
+                name: ${kubectl_manifest.secret.name}
+            - configMapRef:
+                name: ${kubectl_manifest.cm_env.name}
+            livenessProbe:
+              exec:
+                command:
+                - sh
+                - -c
+                - |
+                  wget --no-proxy --quiet -O /dev/null --timeout=1 --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://localhost:9000/api/system/liveness"
+              initialDelaySeconds: 60
+              periodSeconds: 30
+              failureThreshold: 6
+              timeoutSeconds: 1
+            readinessProbe:
+              exec:
+                command:
+                - sh
+                - -c
+                - |
+                  #!/bin/bash
+                  if wget --no-proxy -qO- http://localhost:9000/api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then
+                    exit 0
+                  fi
+                  exit 1
+              initialDelaySeconds: 60
+              periodSeconds: 30
+              failureThreshold: 6
+              timeoutSeconds: 1
+            startupProbe:
+              httpGet:
+                scheme: HTTP
+                path: /api/system/status
+                port: http
+              initialDelaySeconds: 30
+              periodSeconds: 10
+              failureThreshold: 24
+              timeoutSeconds: 1
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              runAsGroup: 0
+              runAsNonRoot: true
+              runAsUser: 1000
+              seccompProfile:
+                type: RuntimeDefault
+            volumeMounts:
+            - mountPath: /opt/sonarqube/data
+              name: sonarqube
+              subPath: data
+            - mountPath: /opt/sonarqube/extensions
+              name: sonarqube
+              subPath: extensions
+            - mountPath: /opt/sonarqube/temp
+              name: sonarqube
+              subPath: temp
+            - mountPath: /opt/sonarqube/logs
+              name: sonarqube
+              subPath: logs
+            - mountPath: /tmp
+              name: tmp-dir
+            - mountPath: /opt/sonarqube/conf/prometheus-config.yaml
+              subPath: prometheus-config.yaml
+              name: files
+            - mountPath: /opt/sonarqube/conf/prometheus-ce-config.yaml
+              subPath: prometheus-ce-config.yaml
+              name: files
+          serviceAccountName: default
+          volumes:
+          - name: scripts
+            configMap:
+              name: ${kubectl_manifest.wordpress_files.name}
+              defaultMode: 0755
+              items:
+              - key: init_sysctl.sh
+                path: init_sysctl.sh
+              - key: install_plugins.sh
+                path: install_plugins.sh
+          - name: files
+            configMap:
+              name: ${kubectl_manifest.cm_files.name}
+              defaultMode: 0644
+              items:
+              - key: prometheus-config.yaml
+                path: prometheus-config.yaml
+              - key: prometheus-ce-config.yaml
+                path: prometheus-ce-config.yaml
+          - name: sonarqube
+            persistentVolumeClaim:
+              claimName: ${kubectl_manifest.pvc.name}
+          - name: tmp-dir
+            emptyDir: {}
+EOF
+}
diff --git a/apps/sonar/template.rhai b/apps/sonar/template.rhai
new file mode 100644
index 0000000..9ddda00
--- /dev/null
+++ b/apps/sonar/template.rhai
@@ -0,0 +1,6 @@
+const DEST=dest;
+fn post_template() {
+    save_to_tf(`${global::DEST}/conditions.tf`, "conditions", #{
+        have_podmonitors: have_crd("podmonitors.monitoring.coreos.com"),
+    });
+}
diff --git a/apps/sonar/v1_ConfigMap_sonar-sonarqube-config.yaml b/apps/sonar/v1_ConfigMap_sonar-sonarqube-config.yaml
deleted file mode 100644
index c510a98..0000000
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-config.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-# Source: sonarqube/templates/config.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: sonar-sonarqube-config
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-data:
-  sonar.properties: |
\ No newline at end of file
diff --git a/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-fs.yaml b/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-fs.yaml
deleted file mode 100644
index 7dffa6d..0000000
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-fs.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-# Source: sonarqube/templates/init-fs.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: sonar-sonarqube-init-fs
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-data:
-  init_fs.sh: |-
\ No newline at end of file
diff --git a/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-sysctl.yaml b/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-sysctl.yaml
deleted file mode 100644
index 64687bd..0000000
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-sysctl.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-# Source: sonarqube/templates/init-sysctl.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: sonar-sonarqube-init-sysctl
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-data:
-  init_sysctl.sh: |-
-    if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
-      sysctl -w vm.max_map_count=524288
-    fi
-    if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
-      sysctl -w fs.file-max=131072
-    fi
-    if [[ "$(ulimit -n)" != "unlimited" ]]; then
-      if [[ "$(ulimit -n)" -lt 131072 ]]; then
-        echo "ulimit -n 131072"
-        ulimit -n 131072
-      fi
-    fi
-    if [[ "$(ulimit -u)" != "unlimited" ]]; then
-      if [[ "$(ulimit -u)" -lt 8192 ]]; then
-        echo "ulimit -u 8192"
-        ulimit -u 8192
-      fi
-    fi
\ No newline at end of file
diff --git a/apps/sonar/v1_ConfigMap_sonar-sonarqube-install-plugins.yaml b/apps/sonar/v1_ConfigMap_sonar-sonarqube-install-plugins.yaml
deleted file mode 100644
index 18da357..0000000
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-install-plugins.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# Source: sonarqube/templates/install-plugins.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: sonar-sonarqube-install-plugins
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-data:
-  install_plugins.sh: |-
-      rm -f /opt/sonarqube/extensions/plugins/*
-      cd /opt/sonarqube/extensions/plugins
-      curl   -fsSLO "https://github.com/vaulttec/sonar-auth-oidc/releases/download/v2.1.1/sonar-auth-oidc-plugin-2.1.1.jar"
-      curl   -fsSLO "https://github.com/jycr/sonar-l10n-fr/releases/download/9.9.0/sonar-l10n-fr-plugin-9.9.0.jar"
-      curl   -fsSLO "https://github.com/sbaudoin/sonar-yaml/releases/download/v1.7.0/sonar-yaml-plugin-1.7.0.jar"
-      curl   -fsSLO "https://github.com/sbaudoin/sonar-shellcheck/releases/download/v2.5.0/sonar-shellcheck-plugin-2.5.0.jar"
-      curl   -fsSLO "https://github.com/cnescatlab/sonar-hadolint-plugin/releases/download/1.1.0/sonar-hadolint-plugin-1.1.0.jar"
-      curl   -fsSLO "https://github.com/sbaudoin/sonar-ansible/releases/download/v2.5.1/sonar-ansible-extras-plugin-2.5.1.jar"
\ No newline at end of file
diff --git a/apps/sonar/v1_ConfigMap_sonar-sonarqube-jdbc-config.yaml b/apps/sonar/v1_ConfigMap_sonar-sonarqube-jdbc-config.yaml
deleted file mode 100644
index 498d603..0000000
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-jdbc-config.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-# Source: sonarqube/templates/jdbc-config.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: sonar-sonarqube-jdbc-config
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-data:
-  SONAR_JDBC_USERNAME: "sonarUser"
-  SONAR_JDBC_URL: "jdbc:postgresql://sonar-postgresql:5432/sonarDB"
\ No newline at end of file
diff --git a/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-ce-config.yaml b/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-ce-config.yaml
deleted file mode 100644
index 56175f2..0000000
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-ce-config.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-# Source: sonarqube/templates/prometheus-ce-config.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: sonar-sonarqube-prometheus-ce-config
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-data:
-  prometheus-ce-config.yaml: |-
-        rules:
-        - pattern: .*
\ No newline at end of file
diff --git a/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-config.yaml b/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-config.yaml
deleted file mode 100644
index 7129f7f..0000000
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-config.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-# Source: sonarqube/templates/prometheus-config.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: sonar-sonarqube-prometheus-config
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-data:
-  prometheus-config.yaml: |-
-        rules:
-        - pattern: .*
\ No newline at end of file
diff --git a/apps/sonar/v1_Secret_sonar-sonarqube-monitoring-passcode.yaml b/apps/sonar/v1_Secret_sonar-sonarqube-monitoring-passcode.yaml
deleted file mode 100644
index a2b2b8c..0000000
--- a/apps/sonar/v1_Secret_sonar-sonarqube-monitoring-passcode.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: sonar-sonarqube-monitoring-passcode
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-type: Opaque
-data:
-  SONAR_WEB_SYSTEMPASSCODE: "ZGVmaW5lX2l0"
\ No newline at end of file
diff --git a/apps/sonar/v1_Service_sonar-sonarqube.yaml b/apps/sonar/v1_Service_sonar-sonarqube.yaml
deleted file mode 100644
index 5b78ba7..0000000
--- a/apps/sonar/v1_Service_sonar-sonarqube.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-# Source: sonarqube/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: sonar-sonarqube
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.5.1_2816
-    release: sonar
-    heritage: Helm
-
-spec:
-  type: ClusterIP
-  ports:
-    - port: 9000
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    app: sonarqube
-    release: sonar
\ No newline at end of file