fix: helm prefers initialUserPassword over defaultPassword, never mak…

…es a sidecar

docs/reference/deploy/helm-config-reference.rst

@@ -228,8 +228,11 @@
    automatically terminated. A TensorBoard instance is considered to be idle if it does not receive
    any HTTP traffic. The default timeout is 300 (5 minutes).
 
+-  ``initialUserPassword``: Specifies a string containing the default password for the admin and
+   determined user accounts. (Preferred over ``defaultPassword``.)
+
 -  ``defaultPassword``: Specifies a string containing the default password for the admin and
-   determined user accounts.
+   determined user accounts. (Deprecated; prefer ``initialUserPassword``)
 
 -  ``logging``: Configures where trial logs are stored. This section takes the same shape as the
    logging configuration in the :ref:`cluster configuration <cluster-configuration>`, except that

docs/release-notes/helm-requires-user-password.rst

@@ -0,0 +1,8 @@
+:orphan:
+
+**Security Fixes**
+
+-  Helm: When deploying a new cluster with Helm, an initial password for the ``admin`` and
+      ``determined`` users should be specified using either ``initialUserPassword`` or
+      ``defaultPassword`` (see helm/charts/determined/values.yaml). Configuring a password is no
+      longer done as a separate step.

helm/charts/determined/templates/master-config.yaml

@@ -57,7 +57,7 @@ stringData:
 
     security:
       {{- if .Values.initialUserPassword }}
-      initial_user_password: {{ .Values.initialUserPassword | quote }}
+      initial_user_password: {{ coalesce .Values.initialUserPassword .Values.defaultPassword | quote }}
       {{- end }}
       {{- if .Values.tlsSecret }}
       tls: