devtron-labs · iamayushm · Oct 29, 2025 · Oct 28, 2025
@@ -188,6 +188,7 @@
  | ENABLE_ASYNC_ARGO_CD_INSTALL_DEVTRON_CHART | bool |false | To enable async installation of gitops application |  | false |
  | ENABLE_ASYNC_INSTALL_DEVTRON_CHART | bool |false | To enable async installation of no-gitops application |  | false |
  | ENABLE_LINKED_CI_ARTIFACT_COPY | bool |false | Enable copying artifacts from parent CI pipeline to linked CI pipeline during creation |  | false |
+ | ENABLE_PASSWORD_ENCRYPTION | bool |true | enable password encryption |  | false |
  | EPHEMERAL_SERVER_VERSION_REGEX | string |v[1-9]\.\b(2[3-9]\|[3-9][0-9])\b.* | ephemeral containers support version regex that is compared with k8sServerVersion |  | false |
  | EVENT_URL | string |http://localhost:3000/notify | Notifier service url |  | false |
  | EXECUTE_WIRE_NIL_CHECKER | bool |false | checks for any nil pointer in wire.go |  | false |

@@ -19,6 +19,7 @@ package repository
 import (
 	"github.com/devtron-labs/common-lib/securestore"
 	"github.com/devtron-labs/devtron/pkg/sql"
+	globalUtil "github.com/devtron-labs/devtron/util"
 	"github.com/go-pg/pg"
 	"go.uber.org/zap"
 )
@@ -37,8 +38,9 @@ type GitOpsConfigRepository interface {
 }
 
 type GitOpsConfigRepositoryImpl struct {
-	dbConnection *pg.DB
-	logger       *zap.SugaredLogger
+	dbConnection       *pg.DB
+	logger             *zap.SugaredLogger
+	GlobalEnvVariables *globalUtil.GlobalEnvVariables
 }
 
 type GitOpsConfig struct {
@@ -63,8 +65,8 @@ type GitOpsConfig struct {
 	sql.AuditLog
 }
 
-func NewGitOpsConfigRepositoryImpl(logger *zap.SugaredLogger, dbConnection *pg.DB) *GitOpsConfigRepositoryImpl {
-	return &GitOpsConfigRepositoryImpl{dbConnection: dbConnection, logger: logger}
+func NewGitOpsConfigRepositoryImpl(logger *zap.SugaredLogger, dbConnection *pg.DB, variables *globalUtil.EnvironmentVariables) *GitOpsConfigRepositoryImpl {
+	return &GitOpsConfigRepositoryImpl{dbConnection: dbConnection, logger: logger, GlobalEnvVariables: variables.GlobalEnvVariables}
 }
 
 func (impl *GitOpsConfigRepositoryImpl) GetConnection() *pg.DB {
@@ -73,9 +75,11 @@ func (impl *GitOpsConfigRepositoryImpl) GetConnection() *pg.DB {
 
 func (impl *GitOpsConfigRepositoryImpl) CreateGitOpsConfig(model *GitOpsConfig, tx *pg.Tx) (*GitOpsConfig, error) {
 	var err error
-	model.Token, err = securestore.EncryptString(model.Token.String())
-	if err != nil {
-		return model, err
+	if impl.GlobalEnvVariables.EnablePasswordEncryption {
+		model.Token, err = securestore.EncryptString(model.Token.String())
+		if err != nil {
+			return model, err
+		}
 	}
 	err = tx.Insert(model)
 	if err != nil {
@@ -85,9 +89,11 @@ func (impl *GitOpsConfigRepositoryImpl) CreateGitOpsConfig(model *GitOpsConfig,
 	return model, nil
 }
 func (impl *GitOpsConfigRepositoryImpl) UpdateGitOpsConfig(model *GitOpsConfig, tx *pg.Tx) (err error) {
-	model.Token, err = securestore.EncryptString(model.Token.String())
-	if err != nil {
-		return err
+	if impl.GlobalEnvVariables.EnablePasswordEncryption {
+		model.Token, err = securestore.EncryptString(model.Token.String())
+		if err != nil {
+			return err
+		}
 	}
 	err = tx.Update(model)
 	if err != nil {

@@ -99,27 +99,30 @@ type DockerArtifactStoreRepository interface {
 	FindInactive(storeId string) (bool, error)
 }
 type DockerArtifactStoreRepositoryImpl struct {
-	dbConnection *pg.DB
+	dbConnection       *pg.DB
+	GlobalEnvVariables *util.GlobalEnvVariables
 }
 
-func NewDockerArtifactStoreRepositoryImpl(dbConnection *pg.DB) *DockerArtifactStoreRepositoryImpl {
-	return &DockerArtifactStoreRepositoryImpl{dbConnection: dbConnection}
+func NewDockerArtifactStoreRepositoryImpl(dbConnection *pg.DB, environmentVariables *util.EnvironmentVariables) *DockerArtifactStoreRepositoryImpl {
+	return &DockerArtifactStoreRepositoryImpl{dbConnection: dbConnection, GlobalEnvVariables: environmentVariables.GlobalEnvVariables}
 }
 
 func (impl DockerArtifactStoreRepositoryImpl) GetConnection() *pg.DB {
 	return impl.dbConnection
 }
 
 func (impl DockerArtifactStoreRepositoryImpl) Save(artifactStore *DockerArtifactStore, tx *pg.Tx) (err error) {
-	artifactStore.Password, err = securestore.EncryptString(artifactStore.Password.String())
-	if err != nil {
-		return err
-	}
-	artifactStore.AWSSecretAccessKey, err = securestore.EncryptString(artifactStore.AWSSecretAccessKey.String())
-	if err != nil {
-		return err
-	}
 
+	if impl.GlobalEnvVariables.EnablePasswordEncryption {
+		artifactStore.Password, err = securestore.EncryptString(artifactStore.Password.String())
+		if err != nil {
+			return err
+		}
+		artifactStore.AWSSecretAccessKey, err = securestore.EncryptString(artifactStore.AWSSecretAccessKey.String())
+		if err != nil {
+			return err
+		}
+	}
 	if util.IsBaseStack() {
 		return tx.Insert(artifactStore)
 	}
@@ -246,13 +249,15 @@ func (impl DockerArtifactStoreRepositoryImpl) FindOneInactive(storeId string) (*
 }
 
 func (impl DockerArtifactStoreRepositoryImpl) Update(artifactStore *DockerArtifactStore, tx *pg.Tx) (err error) {
-	artifactStore.Password, err = securestore.EncryptString(artifactStore.Password.String())
-	if err != nil {
-		return err
-	}
-	artifactStore.AWSSecretAccessKey, err = securestore.EncryptString(artifactStore.AWSSecretAccessKey.String())
-	if err != nil {
-		return err
+	if impl.GlobalEnvVariables.EnablePasswordEncryption {
+		artifactStore.Password, err = securestore.EncryptString(artifactStore.Password.String())
+		if err != nil {
+			return err
+		}
+		artifactStore.AWSSecretAccessKey, err = securestore.EncryptString(artifactStore.AWSSecretAccessKey.String())
+		if err != nil {
+			return err
+		}
 	}
 	//TODO check for unique default
 	//there can be only one default

@@ -20,6 +20,7 @@ import (
 	"github.com/devtron-labs/common-lib/securestore"
 	"github.com/devtron-labs/devtron/internal/sql/constants"
 	"github.com/devtron-labs/devtron/pkg/sql"
+	globalUtil "github.com/devtron-labs/devtron/util"
 	"github.com/go-pg/pg"
 )
 
@@ -56,15 +57,16 @@ type GitProviderRepository interface {
 }
 
 type GitProviderRepositoryImpl struct {
-	dbConnection *pg.DB
+	GlobalEnvVariables *globalUtil.GlobalEnvVariables
+	dbConnection       *pg.DB
 }
 
-func NewGitProviderRepositoryImpl(dbConnection *pg.DB) *GitProviderRepositoryImpl {
-	return &GitProviderRepositoryImpl{dbConnection: dbConnection}
+func NewGitProviderRepositoryImpl(dbConnection *pg.DB, envVariables *globalUtil.EnvironmentVariables) *GitProviderRepositoryImpl {
+	return &GitProviderRepositoryImpl{dbConnection: dbConnection, GlobalEnvVariables: envVariables.GlobalEnvVariables}
 }
 
 func (impl GitProviderRepositoryImpl) Save(gitProvider *GitProvider) error {
-	err := encryptFieldsInGitProvider(gitProvider)
+	err := impl.encryptFieldsInGitProvider(gitProvider)
 	if err != nil {
 		return err
 	}
@@ -120,7 +122,7 @@ func (impl GitProviderRepositoryImpl) FindByUrl(providerUrl string) (GitProvider
 }
 
 func (impl GitProviderRepositoryImpl) Update(gitProvider *GitProvider) error {
-	err := encryptFieldsInGitProvider(gitProvider)
+	err := impl.encryptFieldsInGitProvider(gitProvider)
 	if err != nil {
 		return err
 	}
@@ -133,19 +135,21 @@ func (impl GitProviderRepositoryImpl) MarkProviderDeleted(gitProvider *GitProvid
 	return impl.dbConnection.Update(gitProvider)
 }
 
-func encryptFieldsInGitProvider(gitProvider *GitProvider) error {
+func (impl GitProviderRepositoryImpl) encryptFieldsInGitProvider(gitProvider *GitProvider) error {
 	var err error
-	gitProvider.Password, err = securestore.EncryptString(gitProvider.Password.String())
-	if err != nil {
-		return err
-	}
-	gitProvider.AccessToken, err = securestore.EncryptString(gitProvider.AccessToken.String())
-	if err != nil {
-		return err
-	}
-	gitProvider.SshPrivateKey, err = securestore.EncryptString(gitProvider.SshPrivateKey.String())
-	if err != nil {
-		return err
+	if impl.GlobalEnvVariables.EnablePasswordEncryption {
+		gitProvider.Password, err = securestore.EncryptString(gitProvider.Password.String())
+		if err != nil {
+			return err
+		}
+		gitProvider.AccessToken, err = securestore.EncryptString(gitProvider.AccessToken.String())
+		if err != nil {
+			return err
+		}
+		gitProvider.SshPrivateKey, err = securestore.EncryptString(gitProvider.SshPrivateKey.String())
+		if err != nil {
+			return err
+		}
 	}
 	return nil
 }
@@ -19,6 +19,7 @@ package repository
 import (
 	"github.com/devtron-labs/common-lib/securestore"
 	"github.com/devtron-labs/devtron/pkg/sql"
+	globalUtil "github.com/devtron-labs/devtron/util"
 	"github.com/go-pg/pg"
 	"go.uber.org/zap"
 	"time"
@@ -74,22 +75,26 @@ type ClusterRepository interface {
 	FindByClusterURL(clusterURL string) (*Cluster, error)
 }
 
-func NewClusterRepositoryImpl(dbConnection *pg.DB, logger *zap.SugaredLogger) *ClusterRepositoryImpl {
+func NewClusterRepositoryImpl(dbConnection *pg.DB, logger *zap.SugaredLogger, variables *globalUtil.EnvironmentVariables) *ClusterRepositoryImpl {
 	return &ClusterRepositoryImpl{
-		dbConnection: dbConnection,
-		logger:       logger,
+		dbConnection:       dbConnection,
+		logger:             logger,
+		GlobalEnvVariables: variables.GlobalEnvVariables,
 	}
 }
 
 type ClusterRepositoryImpl struct {
-	dbConnection *pg.DB
-	logger       *zap.SugaredLogger
+	dbConnection       *pg.DB
+	logger             *zap.SugaredLogger
+	GlobalEnvVariables *globalUtil.GlobalEnvVariables
 }
 
 func (impl ClusterRepositoryImpl) Save(model *Cluster) (err error) {
-	model.Config, err = securestore.EncryptMap(model.Config)
-	if err != nil {
-		return err
+	if impl.GlobalEnvVariables.EnablePasswordEncryption {
+		model.Config, err = securestore.EncryptMap(model.Config)
+		if err != nil {
+			return err
+		}
 	}
 	return impl.dbConnection.Insert(model)
 }
@@ -106,9 +111,11 @@ func (impl ClusterRepositoryImpl) FindOne(clusterName string) (*Cluster, error)
 }
 func (impl ClusterRepositoryImpl) SaveAll(models []*Cluster) (err error) {
 	for i := range models {
-		models[i].Config, err = securestore.EncryptMap(models[i].Config)
-		if err != nil {
-			return err
+		if impl.GlobalEnvVariables.EnablePasswordEncryption {
+			models[i].Config, err = securestore.EncryptMap(models[i].Config)
+			if err != nil {
+				return err
+			}
 		}
 	}
 	return impl.dbConnection.Insert(models)
@@ -191,9 +198,11 @@ func (impl ClusterRepositoryImpl) FindByIds(id []int) ([]Cluster, error) {
 }
 
 func (impl ClusterRepositoryImpl) Update(model *Cluster) (err error) {
-	model.Config, err = securestore.EncryptMap(model.Config)
-	if err != nil {
-		return err
+	if impl.GlobalEnvVariables.EnablePasswordEncryption {
+		model.Config, err = securestore.EncryptMap(model.Config)
+		if err != nil {
+			return err
+		}
 	}
 	return impl.dbConnection.Update(model)
 }

@@ -67,6 +67,7 @@ type GlobalEnvVariables struct {
 	IsAirGapEnvironment               bool `json:"isAirGapEnvironment" env:"IS_AIR_GAP_ENVIRONMENT" envDefault:"false"`
 	EnableLinkedCiArtifactCopy        bool `env:"ENABLE_LINKED_CI_ARTIFACT_COPY" envDefault:"false" description:"Enable copying artifacts from parent CI pipeline to linked CI pipeline during creation"`
 	LinkedCiArtifactCopyLimit         int  `env:"LINKED_CI_ARTIFACT_COPY_LIMIT" envDefault:"10" description:"Maximum number of artifacts to copy from parent CI pipeline to linked CI pipeline"`
+	EnablePasswordEncryption          bool `env:"ENABLE_PASSWORD_ENCRYPTION" envDefault:"true" description:"enable password encryption"`
 }
 
 type GlobalClusterConfig struct {