Identity server certificate password set to "map[]"

[Niich]

Steps To Reproduce

1. Start fresh with no secrets or anything in the bitwarden namespace.

2. create a "custom-secret" and set globalSettings__identityServer__certificatePassword

   kubectl create secret generic custom-secret -n bitwarden \
      --from-literal=globalSettings__identityServer__certificatePassword="MY_CUSTOM_p@ssw0rd" \
      --from-literal=SA_PASSWORD="REPLACE"

3. install Bitwarden with helm.

4. Check the value of the bitwarden-identity-cert-password secret

Expected Result

Setting globalSettings__identityServer__certificatePassword in the "custom-secret" can be used to set the value for the deployment. Or if no value is provided a unique password will be generated, so that all installs do not end up using the same value.

Actual Result

The value is rendered into the job that makes the identity certificate without checking the custom secret that is already in the cluster. Leading to the value always being "map[]"

# Source: self-host/templates/pre-install-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: "bitwarden-setup"
  labels:
    app.kubernetes.io/component: pre-install-hook
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "2"
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
spec:
  template:
    metadata:
      name: "bitwarden-setup"
      labels:
        app.kubernetes.io/component: pre-install-hook
    spec:
      serviceAccountName: "bitwarden-service-account"
      initContainers:
      - name: generate-identity-cert
        command:
          - "/bin/sh"
          - "-c"
        args: ['
          openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout /bitwarden/identity.key -out /bitwarden/identity.crt -subj "/CN=Bitwarden IdentityServer" -days 36500;
          openssl pkcs12 -export -out /bitwarden/identity.pfx -inkey /bitwarden/identity.key -in /bitwarden/identity.crt -passout pass:map[];
          chmod 777 /bitwarden/identity.pfx;
          echo Done;
        ']
        image: "docker.io/nginx:1.25.3"
        volumeMounts:
        - name: temp
          mountPath: "/bitwarden"
      containers:
      - name: create-resources
        command:
          - "/bin/sh"
          - "-c"
        args: ['
          ls -atlh /bitwarden;
          kubectl create secret generic bitwarden-identity-cert --from-file=/bitwarden/identity.pfx -n bitwarden ;
          kubectl create secret generic bitwarden-identity-cert-password -n bitwarden
            --from-literal=globalSettings__identityServer__certificatePassword="map[]";
          echo "Done"
        ']
        image: "bitnami/kubectl:1.21"
        volumeMounts:
        - name: temp
          mountPath: "/bitwarden"
      restartPolicy: Never
      volumes:
        - name: temp
          emptyDir:
            medium: Memory

Screenshots or Videos

No response

Additional Context

No response

Chart Version

self-host-2024.2.2

Environment Details

• Environment: RKE2 v1.27.10+rke2r1
• Helm: version.BuildInfo{Version:"v3.13.3", GitCommit:"c8b948945e52abba22ff885446a1486cb5fd3474", GitTreeState:"clean", GoVersion:"go1.20.11"}
• Chart:

  apiVersion: v2
  appVersion: 2024.2.2
  description: A Helm chart for deploying a Bitwarden instance on Kubernetes
  home: https://github.com/bitwarden/helm-charts/tree/main/charts/self-host
  icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/icon-square.svg
  maintainers:
  - name: dept-devops
  name: self-host
  type: application
  version: 2024.2.2

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[abbabe]

I had a similar problem. I created a secret and assigned a password, but this time the certificate is not opened via password.

Is there anybody reply ?