feat: helm install checks password complexity [DET-10293] (#9360)

determined-ai · May 21, 2024 · c3b3ae6 · c3b3ae6
1 parent 5c51164
commit c3b3ae6
Showing 1 changed file with 20 additions and 3 deletions.
diff --git a/helm/charts/determined/templates/master-config.yaml b/helm/charts/determined/templates/master-config.yaml
@@ -1,3 +1,20 @@
+{{- if empty (lookup "v1" "Service" .Release.Namespace (printf "determined-db-service-%s" .Release.Name)) }}
+  {{- $initialPassword := coalesce .Values.initialUserPassword .Values.defaultPassword | required "An initial password for admin and determined users is required!" }}
+  {{- if not (gt (len $initialPassword) 7) }}
+    {{- fail "initialUserPassword must have at least 8 characters" }}
+  {{- end }}
+  {{- if not (regexMatch "[A-Z]" $initialPassword) }}
+    {{- fail "initialUserPassword must include an uppercase letter" }}
+  {{- end }}
+  {{- if not (regexMatch "[a-z]" $initialPassword) }}
+    {{- fail "initialUserPassword must include a lowercase letter" }}
+  {{- end }}
+  {{- if not (regexMatch "[0-9]" $initialPassword) }}
+    {{- fail "initialUserPassword must include a number" }}
+  {{- end }}
+{{- end}}
+
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -56,9 +73,9 @@ stringData:
       {{- end }}
 
     security:
-      {{- if empty (lookup "v1" "Service" .Release.Namespace (printf "determined-db-service-%s" .Release.Name)) }}
-      initial_user_password: {{ coalesce .Values.initialUserPassword .Values.defaultPassword | quote | required "An initial password for admin and determined users is required!" }}
-      {{- end}}
+      {{- if $initialPassword := coalesce .Values.initialUserPassword .Values.defaultPassword }}
+      initial_user_password: {{ quote $initialPassword }}
+      {{- end }}
       {{- if .Values.tlsSecret }}
       tls:
         cert: {{ include "determined.secretPath" . }}tls.crt