No possibility to install Sonarqube via Helm on Kubernetes without storing passwords in plain text

ralf157 · April 26, 2025, 11:38am

Must-share information (formatted with Markdown):

which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension)
- Helm Chart Version: 2025.2.0
- Sonarqube Version: 2025.2.0 (25.1.0.102122)
- Edition: Community
- Kubernetes Version: 1.30.1
how is SonarQube deployed:
Helm
What are you trying to achieve?
I am implementing GitOps with Helm Charts and ArgoCD. All resources needed to run a Sonarqube instance should be declared in a single app.
I want to prevent sensitive data such as passwords from being shared in plain text in my Git and the data required for the instance from being distributed across several apps or tools.
what have you tried so far to achieve this
- deployed secrets for sonarqube (jdbc, monitoringPasscode) in an extra ArgoCD App, beside my Sonarque App (no single point of view within ArgoCD App “Sonarqube”)
- deployed sonarqube containing those sensitive data within the values-file (bad practise)
- deployed sensitive data by using external secret operator with openBAO (no single point of view within ArgoCD App “Sonarqube”)
Now I opened a Pull Request to add those capabilities without adding support to the helm chart by just adding an array of extraManifests to the Chart’s template

jonesbusy · April 27, 2025, 9:16am

Pretty much same use case here but deploying with FluxCD and sops to encrypt secret.

The solution I was using since 3 years is to create a new chart that depends on helm-chart-sonarqube (subchart). And adding extra manifest there. Can be useful also to add default values on values.yml

ralf157 · April 27, 2025, 9:37am

Thanks for Sharing you expierience/approach!

How much effort are you putting in your “wrapper chart” to maintain in terms of upgrading the default-values alongside with new sonarqube chart versions?

jonesbusy · May 2, 2025, 8:06am

Pretty much none (We have already Ci to build/release other internal charts)

There was some breaking change at some point, but not su much (example Upgrade helm chart from 10.6.1 to 10.6.0 broke LDAP authentication due to secret env)

Using recent Helm, override of values between subcharts works well, so only override can be spefiied. No need to copy existing values.yml

Topic		Replies	Views
SonarQube Community Edition: Hardcoded Passwords in Kubernetes config maps SonarQube Server / Community Build sonarqube , kubernetes	4	743	December 16, 2021
Helm chart, how do I change the default admin password without exposing a password in the values.yml SonarQube Server / Community Build sonarqube , kubernetes , helm	2	1479	July 15, 2022
Use Secret for monitoringPasscode in SonarQube Helm Chart SonarQube Server / Community Build helm	6	1775	December 15, 2022
Helm chart > plugins installation: using secrets for proxy authentication SonarQube Server / Community Build proxy , plugin , helm	3	558	December 8, 2023
Configure Settings Encryption for SonarQube using Helm Chart SonarQube Server / Community Build	4	797	February 9, 2023

No possibility to install Sonarqube via Helm on Kubernetes without storing passwords in plain text

Related topics