Merge pull request #726 from rstudio/workbench-k8s-secrets-for-sensitive-configs

Copy of the PR from pat-s:existingSecret so it can run tests properly

Author: jforest

.github/workflows/chart-test.yaml

@@ -173,6 +173,16 @@ jobs:
           kubectl create secret generic ppm-license --from-file=ppm.lic --namespace posit-test
           rm ppm.lic
 
+      - name: Create Workbench Secrets to test existingSecrets
+        run: |
+          echo "Generating a fake launcher.pem file"
+          openssl genrsa -out launcher.pem 4096
+          kubectl create secret generic launcherpem-secret --from-file=launcher.pem=launcher.pem --namespace posit-test
+          kubectl create secret generic userpassword-secret --from-literal=password="testpassword" --namespace posit-test
+          kubectl create secret generic securecookiekey-secret --from-literal=secure-cookie-key="ec44ae41-5b74-44a4-915b-3b0ac8ef72b6" --namespace posit-test
+          kubectl create secret generic globalsecurecookiekey-secret --from-literal=secure-cookie-key="ec44ae41-5b74-44a4-915b-3b0ac8ef72b6" --namespace posit-test
+          kubectl create secret generic databaseconf-secret --from-literal=database.conf="testdatabaseconf" --namespace posit-test
+
       # no allow-failure until https://github.com/actions/toolkit/issues/399
       - name: Run chart-testing (install changed)
         id: ct-install

charts/rstudio-workbench/Chart.yaml

@@ -1,6 +1,6 @@
 name: rstudio-workbench
 description: Official Helm chart for Posit Workbench
-version: 0.9.16
+version: 0.10.0
 apiVersion: v2
 appVersion: 2025.09.2
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png

charts/rstudio-workbench/NEWS.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## 0.10.0
+
+- BREAKING: `userPassword` has been replaced by `userPassword.value` or `userPassword.existingSecret`
+  - This allows for better secret management and avoids putting passwords in plaintext in `values.yaml`
+  - If you were using `userPassword`, you can migrate by setting `userPassword.value` to the same value
+  - Alternatively, you can create a Kubernetes secret with the password and set `userPassword.existingSecret` to the name of the secret
+- BREAKING: `launcherPem` has been replaced by `launcherPem.value` or `launcherPem.existingSecret`
+  - This allows for better secret management and avoids putting PEM keys in plaintext in `values.yaml`
+  - If you were using `launcherPem`, you can migrate by setting `launcherPem.value` to the same value
+  - Alternatively, you can create a Kubernetes secret with the PEM key and set `launcherPem.existingSecret` to the name of the secret
+- BREAKING: `secureCookieKey` has been replaced by `secureCookieKey.value` or `secureCookieKey.existingSecret`
+  - This allows for better secret management and avoids putting secure cookie keys in plaintext in `values.yaml`
+  - If you were using `secureCookieKey`, you can migrate by setting `secureCookieKey.value` to the same value
+  - Alternatively, you can create a Kubernetes secret with the secure cookie key and set `secureCookieKey.existingSecret` to the name of the secret
+- BREAKING `global.secureCookieKey` has been replaced by `global.secureCookieKey.value` or `global.secureCookieKey.existingSecret`
+  - This allows for better secret management and avoids putting secure cookie keys in plaintext in `values.yaml`
+  - If you were using `global.secureCookieKey`, you can migrate by setting `global.secureCookieKey.value` to the same value
+  - Alternatively, you can create a Kubernetes secret with the secure cookie key and set `global.secureCookieKey.existingSecret` to the name of the secret
+- Add `config.database.conf` section can be used to configure database settings. Either `config.database.conf.value` or `config.database.conf.existingSecret` can be used to set the database configuration.
+  - This can be used instead of specifying the database config values in plain text in `config.secret.database.conf`
+
 ## 0.9.16
 
 - Bump Workbench version to 2025.09.2

charts/rstudio-workbench/README.md

@@ -1,6 +1,6 @@
 # Posit Workbench
 
-![Version: 0.9.16](https://img.shields.io/badge/Version-0.9.16-informational?style=flat-square) ![AppVersion: 2025.09.2](https://img.shields.io/badge/AppVersion-2025.09.2-informational?style=flat-square)
+![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![AppVersion: 2025.09.2](https://img.shields.io/badge/AppVersion-2025.09.2-informational?style=flat-square)
 
 #### _Official Helm chart for Posit Workbench_
 
@@ -24,11 +24,11 @@ To ensure a stable production deployment:
 
 ## Installing the chart
 
-To install the chart with the release name `my-release` at version 0.9.16:
+To install the chart with the release name `my-release` at version 0.10.0:
 
 ```{.bash}
 helm repo add rstudio https://helm.rstudio.com
-helm upgrade --install my-release rstudio/rstudio-workbench --version=0.9.16
+helm upgrade --install my-release rstudio/rstudio-workbench --version=0.10.0
 ```
 
 To explore other chart versions, look at:
@@ -109,7 +109,25 @@ Alternatively, license files can be set during `helm install` with the following
 
 Workbench requires a PostgreSQL database when running in Kubernetes. You must configure a [valid connection URI and a password](https://docs.posit.co/ide/server-pro/database/configuration.html#postgresql) for the product to function correctly. Both the connection URI and password may be specified in the `config` section of `values.yaml`. However, we recommend only adding the connection URI and putting the database password in a Kubernetes `Secret`, which can be [automatically set as an environment variable](#database-password).
 
-### Database configuration
+### Database configuration the new way:
+You can now specify your database connection details in `config.database.conf` as follows:
+```yaml
+config:
+  database:
+    conf:
+      value: |
+        provider=postgresql
+        connection-uri=postgres://<USERNAME>@<HOST>:<PORT>/<DATABASE>?sslmode=allow
+```
+
+or you can use an existing `Secret` that contains the database configuration file:
+```yaml
+config:
+  database:
+    conf:
+      existingSecret:
+
+### Database configuration the old way:
 
 Add the following to your `values.yaml`, replacing the `connection-uri` with your database details.
 
@@ -129,6 +147,12 @@ First, create a `Secret` declaratively with YAML or imperatively using the follo
 kubectl create secret generic rstudio-workbench-database --from-literal=password=YOURPASSWORDHERE
 ```
 
+To avoid storing the password in your shell history, use:
+```bash
+kubectl create secret generic rstudio-workbench-database --from-file=password=/path/to/password-file
+```
+the file at `/path/to/password-file` should contain only the password.
+
 Second, specify the following in your `values.yaml`:
 
 ```yaml
@@ -508,6 +532,9 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables
 | chronicleAgent.workbenchApiKey.value | string | `""` | Workbench API key as a raw string to set as the `CHRONICLE_WORKBENCH_APIKEY` environment variable    (not recommended) |
 | chronicleAgent.workbenchApiKey.valueFrom | object | `{}` | Workbench API key as a `valueFrom` reference (ex. a Kubernetes Secret reference) to set as the    `CHRONICLE_WORKBENCH_APIKEY` environment variable (recommended) |
 | command | list | `[]` | command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup |
+| config.database | object | `{"conf":{"existingSecret":"","value":""}}` | a map of database connection config files. Mounted to `/mnt/secret-configmap/rstudio/database.conf` with 0600 permissions |
+| config.database.conf.existingSecret | string | `""` | Secret for database connection config. Will take precedence over `config.database.conf.value`.  Key: 'database.conf' |
+| config.database.conf.value | string | `""` | Database connection config. Will only be used if `config.database.conf.existingSecret` is not set. |
 | config.defaultMode.jobJsonOverrides | int | 0644 | default mode for jobJsonOverrides config |
 | config.defaultMode.pam | int | 0644 | default mode for pam scripts |
 | config.defaultMode.prestart | int | 0755 | default mode for prestart config |
@@ -531,7 +558,9 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables
 | diagnostics | object | `{"directory":"/var/log/rstudio","enabled":false}` | Settings for enabling server diagnostics |
 | extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) |
 | fullnameOverride | string | `""` | the full name of the release (can be overridden) |
-| global.secureCookieKey | string | `""` |  |
+| global.secureCookieKey | object | `{"existingSecret":"","value":""}` | global.secureCookieKey takes precedence over secureCookieKey |
+| global.secureCookieKey.existingSecret | string | `""` | Secret containing secureCookieKey. Will take precedence over `global.secureCookieKey.value`. Key: 'secure-cookie-key' |
+| global.secureCookieKey.value | string | `""` | Will only be used if `global.secureCookieKey.existingSecret` is not set |
 | homeStorage.accessModes | list | `["ReadWriteMany"]` | accessModes defined for the storage PVC (represented as YAML) |
 | homeStorage.create | bool | `false` | whether to create the persistentVolumeClaim for homeStorage |
 | homeStorage.mount | bool | `false` | Whether the persistentVolumeClaim should be mounted (even if not created) |
@@ -563,7 +592,9 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables
 | launcher.templateValues | object | `{"job":{"annotations":{},"labels":{},"ttlSecondsAfterFinished":null},"pod":{"affinity":{},"annotations":{},"command":[],"containerSecurityContext":{},"defaultSecurityContext":{},"env":[],"ephemeralStorage":{"limit":"","request":""},"extraContainers":[],"hostAliases":[],"imagePullPolicy":"","imagePullSecrets":[],"initContainers":[],"labels":{},"nodeSelector":{},"securityContext":{},"serviceAccountName":"","tolerations":[],"volumeMounts":[],"volumes":[]},"service":{"annotations":{},"labels":{},"type":"ClusterIP"}}` | values that are passed along to the launcher job rendering process as a data object (in JSON). These values are then used within session templates. |
 | launcher.templateValues.pod.command | list | `[]` | command for all pods. This is really not something we should expose and will be removed once we have a better option |
 | launcher.useTemplates | bool | `true` | whether to render and use templates in the job launching process |
-| launcherPem | string | `""` | An inline launcher.pem key. If not provided, one will be auto-generated. See README for more details. |
+| launcherPem | object | `{"existingSecret":"","value":""}` | An inline launcher.pem key. If not provided, one will be auto-generated. See README for more details. |
+| launcherPem.existingSecret | string | `""` | Existing secret containing launcherPem contents. Will take precedence over `launcherPem.value`. Key: 'launcher.pem' |
+| launcherPem.value | string | `""` | An inline launcher.pem key. If not provided, one will be auto-generated. See README for more details. Will only be used if `launcherPem.existingSecret` is not set. |
 | launcherPub | bool | `false` | An inline launcher.pub key to pair with launcher.pem. If `false` (the default), we will try to generate a `launcher.pub` from the provided `launcher.pem` |
 | license.file | object | `{"contents":false,"mountPath":"/etc/rstudio-licensing","mountSubPath":false,"secret":false,"secretKey":"license.lic"}` | the file section is used for licensing with a license file |
 | license.file.contents | bool | `false` | contents is an in-line license file, generally requiring the use of multi-line yaml notation |
@@ -609,7 +640,9 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables
 | revisionHistoryLimit | int | `10` | The revisionHistoryLimit to use for the pod deployment. Do not set to 0 |
 | sealedSecret.annotations | object | `{}` | annotations for SealedSecret resources |
 | sealedSecret.enabled | bool | `false` | use SealedSecret instead of Secret to deploy secrets |
-| secureCookieKey | string | `""` |  |
+| secureCookieKey | object | `{"existingSecret":"","value":""}` | global.secureCookieKey takes precedence over secureCookieKey |
+| secureCookieKey.existingSecret | string | `""` | Secret containing secureCookieKey. Will take precedence over `secureCookieKey.value`. Key: 'secure-cookie-key' |
+| secureCookieKey.value | string | `""` | Will only be used if `secureCookieKey.existingSecret` is not set. |
 | securityContext | object | `{}` |  |
 | service.annotations | object | `{}` | Annotations for the service, for example to specify [an internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer) |
 | service.clusterIP | string | `""` | The cluster-internal IP to use with `service.type` ClusterIP |
@@ -646,7 +679,9 @@ Use of [Sealed secrets](https://github.com/bitnami-labs/sealed-secrets) disables
 | topologySpreadConstraints | list | `[]` | An array used verbatim as the pod's "topologySpreadConstraints" definition |
 | userCreate | bool | `false` | userCreate determines whether a user should be created at startup (if true) |
 | userName | string | `"rstudio"` | userName determines the username of the created user |
-| userPassword | string | `"rstudio"` | userPassword determines the password of the created user |
+| userPassword | object | `{"existingSecret":"","value":"rstudio"}` | userPassword determines the password of the created user |
+| userPassword.existingSecret | string | `""` | Existing Secret for userPassword. Will take precedence over `userPassword.value`. Key: 'password' |
+| userPassword.value | string | `"rstudio"` | userPassword determines the password of the created user. Will only be used if `userPassword.existingSecret` is not set. |
 | userUid | string | `"10000"` | userUid determines the UID of the created user |
 | versionOverride | string | `""` | A Workbench version to override the "tag" for the RStudio Workbench image and the session images. Necessary until https://github.com/helm/helm/issues/8194 |
 | xdgConfigDirs | string | `"/mnt/dynamic:/mnt/session-configmap:/mnt/secret-configmap:/mnt/configmap:/mnt/load-balancer/"` | The XDG config dirs (directories where configuration will be read from). Do not change without good reason. |

charts/rstudio-workbench/README.md.gotmpl

@@ -54,7 +54,25 @@ To function, this chart requires the following:
 
 Workbench requires a PostgreSQL database when running in Kubernetes. You must configure a [valid connection URI and a password](https://docs.posit.co/ide/server-pro/database/configuration.html#postgresql) for the product to function correctly. Both the connection URI and password may be specified in the `config` section of `values.yaml`. However, we recommend only adding the connection URI and putting the database password in a Kubernetes `Secret`, which can be [automatically set as an environment variable](#database-password).
 
-### Database configuration
+### Database configuration the new way:
+You can now specify your database connection details in `config.database.conf` as follows:
+```yaml
+config:
+  database:
+    conf:
+      value: |
+        provider=postgresql
+        connection-uri=postgres://<USERNAME>@<HOST>:<PORT>/<DATABASE>?sslmode=allow
+```
+
+or you can use an existing `Secret` that contains the database configuration file:
+```yaml
+config:
+  database:
+    conf:
+      existingSecret:
+
+### Database configuration the old way:
 
 Add the following to your `values.yaml`, replacing the `connection-uri` with your database details.
 
@@ -74,6 +92,12 @@ First, create a `Secret` declaratively with YAML or imperatively using the follo
 kubectl create secret generic {{ .Name }}-database --from-literal=password=YOURPASSWORDHERE
 ```
 
+To avoid storing the password in your shell history, use:
+```bash
+kubectl create secret generic {{ .Name }}-database --from-file=password=/path/to/password-file
+```
+the file at `/path/to/password-file` should contain only the password.
+
 Second, specify the following in your `values.yaml`:
 
 ```yaml

charts/rstudio-workbench/ci/global-securecookiekey-existingsecret-values.yaml

@@ -0,0 +1,8 @@
+license:
+  file:
+    secret: pwb-license
+    secretKey: pwb.lic
+
+global:
+  secureCookieKey:
+    existingSecret: "globalsecurecookiekey-secret"

charts/rstudio-workbench/ci/global-securecookiekey-value-values.yaml

@@ -0,0 +1,8 @@
+license:
+  file:
+    secret: pwb-license
+    secretKey: pwb.lic
+
+global:
+  secureCookieKey:
+    value: "testsecurecookiekey"

charts/rstudio-workbench/ci/launcherpem-existingsecret-values.yaml

@@ -0,0 +1,7 @@
+license:
+  file:
+    secret: pwb-license
+    secretKey: pwb.lic
+
+launcherPem:
+  existingSecret: launcherpem-secret

charts/rstudio-workbench/ci/launcherpem-value-values.yaml

@@ -0,0 +1,7 @@
+license:
+  file:
+    secret: pwb-license
+    secretKey: pwb.lic
+
+launcherPem:
+  value: "TESTDATA"

charts/rstudio-workbench/ci/securecookiekey-existingsecret-values.yaml

@@ -0,0 +1,7 @@
+license:
+  file:
+    secret: pwb-license
+    secretKey: pwb.lic
+
+secureCookieKey:
+  existingSecret: "securecookiekey-secret"