At the moment the statefulset for the broker stores the credentials for user/password in environment variables AMQ_USER, AMQ_PASSWORD and as well the cluster user/password in AMQ_CLUSTER_USER, AMQ_CLUSTER_PASSWORD combinations. These can easily be read in the clear in the 'Environment' itself or as exposed through the OpenShift web console.

The model needs to be changed such that these values are stored encrypted in kubernetes secrets as per the keystore and truststores themselves. As well AMQ_KEYSTORE_PASSWORD and AMQ_TRUSTSTORE_PASSWORD should be evaluated for fit.

This may necessitate a change have the passwords specified in the configuration xml and the masking turned on.