While reviewing the config map of the sonarqube Kubernetes service, it was found that passwords are hardcoded and stored in clear text inside the config map code-quality SonarQube-config.
Right now, we’re using the version * Community Edition* Version 8.5.1 (build 38104)
Is there any plan to change that behavior that has an impact on security?
which chart are you using? we have official charts on artifact hub and none of them have hardcoded values. as you can see here and here confidential variables are referenced from secrets there and you have the option to use a external existing secret here as well.
if you found something like you described in another helm chart, it might be a good idea to switch or check out why this configmap exists in the first place.
That is not one of the official Helm charts Tobias was referring to. Recommend switching to an official chart or contacting the owner to raise the issue.
Also note that this is the SonarSource community, not Sonatype
Thanks, Brian for the Infos. We will have a look at switching to the official chart.
Also, a great catch about the Sonatype. Will change and report the result.