Encrypting Helm chart sensitive data

You can encrypt any sonar property stored in the values.yaml file and some Helm parameters, such as jdbcPassword, that will be managed as sonar properties. The encryption algorithm used is AES with 256-bit keys.

You must have the Administer System permission in SonarQube Server to perform this procedure.

Prerequisites

SonarQube Server must be up and running.

Step 1: Create the encryption key

1. In SonarQube Server UI, go to Administration > Configuration > Encryption.
2. Select Generate Secret Key. An encryption key is generated.
3. Store the generated key in a safe location.

Step 2: Create a Kubernetes secret to store the encryption key

Use the command below:

kubectl create secret generic --from-literal sonar-secret.txt=<encryptionKeyValue> <encryptionKeySecretName>

Example:

kubectl create secret generic --from-literal sonar-secret.txt=EgycYJc4Ek4uj2pH39e3+bnnk15IrVu4dxtfjDyN1y8= myEncryptionKeySecret

Step 3: Enable the encryption in the Helm chart

Install the encryption key secret as follows:

1. Add the following to the  values.yaml file:

sonarSecretKey: <encryptionKeySecretName>

2. Use the helm upgrade command.

Step 4: Encrypt the sensitive data

To encrypt a sensitive property in values.yaml:

1. In SonarQube Server UI, go to Administration > Configuration > Encryption. 

2. Enter the value of the property.

3. Select the Encrypt button. The encrypted value of the property is generated.

4. Select the copy tool.

5. In the values.yaml file, replace the value of the property with the copied encrypted value.

6. Use the helm upgrade command.