[GH-ISSUE #3731] Password not persisting in data-sources.json when using ConfigMap for preconfigured connections in DBeaver #1308

New issue

Closed

opened 2026-03-07 21:02:16 +03:00 by kerem · 2 comments

kerem commented

2026-03-07 21:02:16 +03:00

Owner

Originally created by @LukashevichVitali on GitHub (Sep 9, 2025).
Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/3731

Description

Description:

I am deploying CloudBeaver in a Kubernetes cluster using a Helm chart. My setup includes predefined database connections (e.g., PostgreSQL) configured via a data-sources.json file stored in a ConfigMap. However, I am facing an issue where the password for the predefined connection is not persisted after redeploying the Pod.

Setup Details

Helm Chart: avisto/cloudbeaver
CloudBeaver Version: 25.1.4
Persistence: Disabled (no external storage, such as PostgreSQL, for CloudBeaver's configuration)
Dynamic Environments: The setup is used in dynamic environments, so the database (PostgreSQL) is in the same Kubernetes namespace as CloudBeaver.
Connection Configuration: The data-sources.json file is stored in a ConfigMap and mounted to /opt/cloudbeaver/workspace/GlobalConfiguration/.dbeaver.

Values File for Helm Chart
Here is the values.yaml file I am using for the Helm chart:

image:
  tag: 25.1.4

extraEnvVars:
  - name: CLOUDBEAVER_APP_ANONYMOUS_ACCESS_ENABLED
    value: "false"
  - name: CB_ADMIN_NAME
    value: "admin"
  - name: CB_ADMIN_PASSWORD
    value: "password"
  - name: CB_SERVER_NAME
    value: "CloudBeaver"
  - name: CB_SERVER_URL
    value: "https://test.com/"
  - name: CLOUDBEAVER_DB_BACKUP_ENABLED
    value: "false"

extraVolumes:
  - name: cloudbeaver-datasources
    configMap:
      name: cloudbeaver-datasources

extraVolumeMounts:
  - name: cloudbeaver-datasources
    mountPath: /opt/cloudbeaver/workspace/GlobalConfiguration/.dbeaver

ingress:
  enabled: true
  ingressClassName: nginx
  hostname: test.com
  path: /
  pathType: ImplementationSpecific
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
  tls: true

persistence:
  enabled: false

extraDeploy:
  - |
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cloudbeaver-datasources
    data:
      data-sources.json: |
        {
                "folders": {},
                "connections": {
                        "postgres-jdbc-15809d8ab29af39": {
                                "provider": "postgresql",
                                "driver": "postgres-jdbc",
                                "name": "PostgreSQL@postgresql.infra",
                                "save-password": true,
                                "configuration": {
                                        "host": "postgresql.infra-smoke.svc.cluster.local",
                                        "port": "5432",
                                        "database": "postgres",
                                        "url": "jdbc:postgresql://postgresql.infra-smoke.svc.cluster.local:5432/postgres",
                                        "configurationType": "MANUAL",
                                        "type": "dev",
                                        "closeIdleConnection": true,
                                        "auth-model": "native",
                                        "bootstrap": {
                                                "autocommit": true
                                        }
                                }
                        }
                }
        }

Problem

Even though I set "save-password": true in the data-sources.json file, the password is not saved. After deploying the Pod with the predefined configuration, I manually input the password into the CloudBeaver UI and verify that the connection works. When I then copy the updated data-sources.json file from the container and use it in the ConfigMap for future deployments, the password is still not persisted.

It appears that CloudBeaver does not store the password in the data-sources.json file directly, even if "save-password": true. Instead, the password is likely stored in an encrypted format elsewhere. Since I am not using persistence (e.g., a dedicated PostgreSQL database for CloudBeaver), this password is lost when the Pod restarts.

Questions

Is there a way to persist passwords for predefined connections when using a ConfigMap for data-sources.json?
If passwords are stored elsewhere (e.g., encrypted storage), is there a way to automate their configuration in a stateless setup like mine?
Are there any additional configurations I can provide to ensure predefined connections retain their passwords?

Steps to reproduce

Deploy CloudBeaver using the Helm chart without the ConfigMap.
Manually input credentials through the UI.
Copy the updated data-sources.json file from the container and use it in the ConfigMap for redeployment.
Redeploy helm chart with values.yaml and try to connect to previous configured connection.

ERROR:
Error connecting to database:
The server requested password-based authentication, but no password was provided by plugin null
org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null
at org.postgresql.Driver$ConnectThread.getResult(Driver.java:397)
at org.postgresql.Driver.connect(Driver.java:305)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCConnectionOpener.run(JDBCConnectionOpener.java:112)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCConnectionOpener.run(JDBCConnectionOpener.java:86)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.openConnection(JDBCDataSource.java:215)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.openConnection(JDBCDataSource.java:133)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.openConnection(PostgreDataSource.java:565)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCExecutionContext.connect(JDBCExecutionContext.java:124)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCRemoteInstance.initializeMainContext(JDBCRemoteInstance.java:106)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDatabase.checkInstanceConnection(PostgreDatabase.java:237)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDatabase.(PostgreDatabase.java:122)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.createDatabaseImpl(PostgreDataSource.java:276)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.initializeRemoteInstance(PostgreDataSource.java:170)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.(JDBCDataSource.java:109)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.(JDBCDataSource.java:100)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.(PostgreDataSource.java:108)
at org.jkiss.dbeaver.ext.postgresql.PostgreDataSourceProvider.openDataSource(PostgreDataSourceProvider.java:122)
at org.jkiss.dbeaver.registry.DataSourceDescriptor.openDataSource(DataSourceDescriptor.java:1413)
at org.jkiss.dbeaver.registry.DataSourceDescriptor.connect0(DataSourceDescriptor.java:1271)
at org.jkiss.dbeaver.registry.DataSourceDescriptor.connect(DataSourceDescriptor.java:1061)
at io.cloudbeaver.service.ConnectionControllerCE.initConnection(ConnectionControllerCE.java:455)
at io.cloudbeaver.service.core.impl.WebServiceCore.initConnection(WebServiceCore.java:294)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)

Expected/Desired Behavior

The password for the predefined connection should persist across Pod restarts when using the same data-sources.json file.

CloudBeaver Version

25.1.4

Additional context

Helm chart: https://artifacthub.io/packages/helm/avisto/cloudbeaver

Originally created by @LukashevichVitali on GitHub (Sep 9, 2025). Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/3731 ### Description **Description:** I am deploying CloudBeaver in a Kubernetes cluster using a Helm chart. My setup includes predefined database connections (e.g., PostgreSQL) configured via a data-sources.json file stored in a ConfigMap. However, I am facing an issue where the password for the predefined connection is not persisted after redeploying the Pod. **Setup Details** _Helm Chart_: [avisto/cloudbeaver](https://github.com/avistotelecom/charts/) _CloudBeaver Version_: 25.1.4 _Persistence_: Disabled (no external storage, such as PostgreSQL, for CloudBeaver's configuration) _Dynamic Environments_: The setup is used in dynamic environments, so the database (PostgreSQL) is in the same Kubernetes namespace as CloudBeaver. _Connection Configuration_: The data-sources.json file is stored in a ConfigMap and mounted to /opt/cloudbeaver/workspace/GlobalConfiguration/.dbeaver. **Values File for Helm Chart** Here is the values.yaml file I am using for the Helm chart: ``` image: tag: 25.1.4 extraEnvVars: - name: CLOUDBEAVER_APP_ANONYMOUS_ACCESS_ENABLED value: "false" - name: CB_ADMIN_NAME value: "admin" - name: CB_ADMIN_PASSWORD value: "password" - name: CB_SERVER_NAME value: "CloudBeaver" - name: CB_SERVER_URL value: "https://test.com/" - name: CLOUDBEAVER_DB_BACKUP_ENABLED value: "false" extraVolumes: - name: cloudbeaver-datasources configMap: name: cloudbeaver-datasources extraVolumeMounts: - name: cloudbeaver-datasources mountPath: /opt/cloudbeaver/workspace/GlobalConfiguration/.dbeaver ingress: enabled: true ingressClassName: nginx hostname: test.com path: / pathType: ImplementationSpecific annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect: "true" tls: true persistence: enabled: false extraDeploy: - | apiVersion: v1 kind: ConfigMap metadata: name: cloudbeaver-datasources data: data-sources.json: | { "folders": {}, "connections": { "postgres-jdbc-15809d8ab29af39": { "provider": "postgresql", "driver": "postgres-jdbc", "name": "PostgreSQL@postgresql.infra", "save-password": true, "configuration": { "host": "postgresql.infra-smoke.svc.cluster.local", "port": "5432", "database": "postgres", "url": "jdbc:postgresql://postgresql.infra-smoke.svc.cluster.local:5432/postgres", "configurationType": "MANUAL", "type": "dev", "closeIdleConnection": true, "auth-model": "native", "bootstrap": { "autocommit": true } } } } } ``` **Problem** Even though I set "save-password": true in the data-sources.json file, the password is not saved. After deploying the Pod with the predefined configuration, I manually input the password into the CloudBeaver UI and verify that the connection works. When I then copy the updated data-sources.json file from the container and use it in the ConfigMap for future deployments, the password is still not persisted. It appears that CloudBeaver does not store the password in the data-sources.json file directly, even if "save-password": true. Instead, the password is likely stored in an encrypted format elsewhere. Since I am not using persistence (e.g., a dedicated PostgreSQL database for CloudBeaver), this password is lost when the Pod restarts. **Questions** Is there a way to persist passwords for predefined connections when using a ConfigMap for data-sources.json? If passwords are stored elsewhere (e.g., encrypted storage), is there a way to automate their configuration in a stateless setup like mine? Are there any additional configurations I can provide to ensure predefined connections retain their passwords? ### Steps to reproduce 1. Deploy CloudBeaver using the Helm chart without the ConfigMap. 2. Manually input credentials through the UI. 3. Copy the updated data-sources.json file from the container and use it in the ConfigMap for redeployment. 4. Redeploy helm chart with values.yaml and try to connect to previous configured connection. **ERROR**: Error connecting to database: The server requested password-based authentication, but no password was provided by plugin null org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null at org.postgresql.Driver$ConnectThread.getResult(Driver.java:397) at org.postgresql.Driver.connect(Driver.java:305) at org.jkiss.dbeaver.model.impl.jdbc.JDBCConnectionOpener.run(JDBCConnectionOpener.java:112) at org.jkiss.dbeaver.model.impl.jdbc.JDBCConnectionOpener.run(JDBCConnectionOpener.java:86) at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.openConnection(JDBCDataSource.java:215) at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.openConnection(JDBCDataSource.java:133) at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.openConnection(PostgreDataSource.java:565) at org.jkiss.dbeaver.model.impl.jdbc.JDBCExecutionContext.connect(JDBCExecutionContext.java:124) at org.jkiss.dbeaver.model.impl.jdbc.JDBCRemoteInstance.initializeMainContext(JDBCRemoteInstance.java:106) at org.jkiss.dbeaver.ext.postgresql.model.PostgreDatabase.checkInstanceConnection(PostgreDatabase.java:237) at org.jkiss.dbeaver.ext.postgresql.model.PostgreDatabase.<init>(PostgreDatabase.java:122) at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.createDatabaseImpl(PostgreDataSource.java:276) at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.initializeRemoteInstance(PostgreDataSource.java:170) at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.<init>(JDBCDataSource.java:109) at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.<init>(JDBCDataSource.java:100) at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.<init>(PostgreDataSource.java:108) at org.jkiss.dbeaver.ext.postgresql.PostgreDataSourceProvider.openDataSource(PostgreDataSourceProvider.java:122) at org.jkiss.dbeaver.registry.DataSourceDescriptor.openDataSource(DataSourceDescriptor.java:1413) at org.jkiss.dbeaver.registry.DataSourceDescriptor.connect0(DataSourceDescriptor.java:1271) at org.jkiss.dbeaver.registry.DataSourceDescriptor.connect(DataSourceDescriptor.java:1061) at io.cloudbeaver.service.ConnectionControllerCE.initConnection(ConnectionControllerCE.java:455) at io.cloudbeaver.service.core.impl.WebServiceCore.initConnection(WebServiceCore.java:294) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) ### Expected/Desired Behavior The password for the predefined connection should persist across Pod restarts when using the same data-sources.json file. ### CloudBeaver Version 25.1.4 ### Additional context Helm chart: https://artifacthub.io/packages/helm/avisto/cloudbeaver

kerem

2026-03-07 21:02:16 +03:00

closed this issue
added the
deployment

xf:connection

wait for response
labels

kerem commented

2026-03-07 21:02:17 +03:00

Author

Owner

@EvgeniaBzzz commented on GitHub (Sep 10, 2025):

Hi @LukashevichVitali
This behavior is expected - for security reasons, the password is not stored in plain text in data-sources.json.

As a workaround, you can manually add the user/password to the connection configuration.

Please, let me know if it works for you.

@EvgeniaBzzz commented on GitHub (Sep 10, 2025): Hi @LukashevichVitali This behavior is expected - for security reasons, the password is not stored in plain text in data-sources.json. As a workaround, you can [manually add the user/password to the connection configuration](https://github.com/dbeaver/cloudbeaver/issues/2165#issuecomment-1834257959). Please, let me know if it works for you.

kerem commented

2026-03-07 21:02:17 +03:00

Author

Owner

@LukashevichVitali commented on GitHub (Sep 10, 2025):

Hi @LukashevichVitali This behavior is expected - for security reasons, the password is not stored in plain text in data-sources.json.

As a workaround, you can manually add the user/password to the connection configuration.

Please, let me know if it works for you.

Hi @EvgeniaBzzz
Thank you for your response! Your workaround worked perfectly for me, much appreciated.
I believe it might be a good idea to include this information in the documentation for others who might face the same issue, for example there Automatic server configuration or there User credentials storage
Thanks again!

@LukashevichVitali commented on GitHub (Sep 10, 2025): > Hi [@LukashevichVitali](https://github.com/LukashevichVitali) This behavior is expected - for security reasons, the password is not stored in plain text in data-sources.json. > > As a workaround, you can [manually add the user/password to the connection configuration](https://github.com/dbeaver/cloudbeaver/issues/2165#issuecomment-1834257959). > > Please, let me know if it works for you. Hi @EvgeniaBzzz Thank you for your response! Your workaround worked perfectly for me, much appreciated. I believe it might be a good idea to include this information in the documentation for others who might face the same issue, for example there [Automatic server configuration](https://github.com/dbeaver/cloudbeaver/wiki/Server-configuration#automatic-server-configuration) or there [User credentials storage](https://github.com/dbeaver/cloudbeaver/wiki/User-credentials-storage) Thanks again!