feat: helm deploys with a password (#9113)

DET-10208 Helm deploys with the initialUserPassword or defaultPassword

docs/reference/deploy/helm-config-reference.rst

@@ -228,9 +228,12 @@
    automatically terminated. A TensorBoard instance is considered to be idle if it does not receive
    any HTTP traffic. The default timeout is 300 (5 minutes).
 
--  ``defaultPassword``: Specifies a string containing the default password for the admin and
+-  ``initialUserPassword``: Specifies a string containing the default password for the admin and
    determined user accounts.
 
+-  ``defaultPassword``: (*Deprecated*) Specifies a string containing the default password for the
+   admin and determined user accounts. Use ``initialUserPassword`` instead.
+
 -  ``logging``: Configures where trial logs are stored. This section takes the same shape as the
    logging configuration in the :ref:`cluster configuration <cluster-configuration>`, except that
    names are changed to camel case to match Helm conventions (e.g., ``skip_verify`` would be

docs/release-notes/helm-requires-user-password.rst

@@ -0,0 +1,9 @@
+:orphan:
+
+**Security Fixes**
+
+-  Helm: When deploying a new cluster with Helm, configuring an initial password for the "admin" and
+   "determined" users is required and is no longer a separate step. To specify an initial password
+   for these users, visit the helm/charts/determined/values.yaml file and use either
+   initialUserPassword (preferred) or defaultPassword (deprecated). For reference, visit
+   :ref:helm-config-reference.

helm/charts/determined/templates/master-config.yaml

@@ -57,7 +57,7 @@ stringData:
 
     security:
       {{- if .Values.initialUserPassword }}
-      initial_user_password: {{ .Values.initialUserPassword | quote }}
+      initial_user_password: {{ coalesce .Values.initialUserPassword .Values.defaultPassword | quote }}
       {{- end }}
       {{- if .Values.tlsSecret }}
       tls: