SonarQube Community Edition: Hardcoded Passwords in Kubernetes config maps

While reviewing the config map of the sonarqube Kubernetes service, it was found that passwords are hardcoded and stored in clear text inside the config map code-quality SonarQube-config.
Right now, we’re using the version * Community Edition* Version 8.5.1 (build 38104)

Is there any plan to change that behavior that has an impact on security?

Hello @maikbrauer and welcome to the community :wave:

which chart are you using? we have official charts on artifact hub and none of them have hardcoded values. as you can see here and here confidential variables are referenced from secrets there and you have the option to use a external existing secret here as well.

if you found something like you described in another helm chart, it might be a good idea to switch or check out why this configmap exists in the first place.

hope that helps

1 Like

Hi @Tobias_Trabelsi we are using Chart Version 9.6.3 from oteemocharts/sonatype-nexus


That is not one of the official Helm charts Tobias was referring to. Recommend switching to an official chart or contacting the owner to raise the issue.

Also note that this is the SonarSource community, not Sonatype :wink:


Thanks, Brian for the Infos. We will have a look at switching to the official chart.
Also, a great catch about the Sonatype. Will change and report the result.

Thanks again!