feat: add nameservice configuration for current user execution

Merge pull request #727 from rstudio/lucas-configure-nameservice-for-racu-sso

Author: lucasrod16

charts/rstudio-connect/Chart.yaml

@@ -1,6 +1,6 @@
 name: rstudio-connect
 description: Official Helm chart for Posit Connect
-version: 0.8.17
+version: 0.8.18
 apiVersion: v2
 appVersion: 2025.12.1
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png

charts/rstudio-connect/README.md

@@ -1,6 +1,6 @@
 # Posit Connect
 
-![Version: 0.8.17](https://img.shields.io/badge/Version-0.8.17-informational?style=flat-square) ![AppVersion: 2025.12.1](https://img.shields.io/badge/AppVersion-2025.12.1-informational?style=flat-square)
+![Version: 0.8.18](https://img.shields.io/badge/Version-0.8.18-informational?style=flat-square) ![AppVersion: 2025.12.1](https://img.shields.io/badge/AppVersion-2025.12.1-informational?style=flat-square)
 
 #### _Official Helm chart for Posit Connect_
 
@@ -30,11 +30,11 @@ To ensure reproducibility in your environment and insulate yourself from future
 
 ## Installing the chart
 
-To install the chart with the release name `my-release` at version 0.8.17:
+To install the chart with the release name `my-release` at version 0.8.18:
 
 ```{.bash}
 helm repo add rstudio https://helm.rstudio.com
-helm upgrade --install my-release rstudio/rstudio-connect --version=0.8.17
+helm upgrade --install my-release rstudio/rstudio-connect --version=0.8.18
 ```
 
 To explore other chart versions, look at:
@@ -278,6 +278,11 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c
 | license.server | bool | `false` | server is the <hostname>:<port> for a license server |
 | livenessProbe | object | `{"enabled":false,"failureThreshold":10,"httpGet":{"path":"/__ping__","port":3939},"initialDelaySeconds":10,"periodSeconds":5,"timeoutSeconds":2}` | Used to configure the container's livenessProbe. Only included if enabled = true |
 | nameOverride | string | `""` | The name of the chart deployment (can be overridden) |
+| nameservice | object | `{"apiKey":"","enabled":false,"secretName":"","server":"http://127.0.0.1:3939"}` | Nameservice configuration for current user execution (RunAsCurrentUser). This can only be enabled if using an SSO authentication provider (OAuth2, SAML, or LDAP). |
+| nameservice.apiKey | string | `""` | Connect API key for nameservice module. Must be a Viewer API key. |
+| nameservice.enabled | bool | `false` | Whether to enable nameservice integration. |
+| nameservice.secretName | string | `""` | Optional: name of existing secret containing libnss_connect.conf (overrides apiKey and server). The secret must be in the same namespace as the Connect deployment. |
+| nameservice.server | string | `"http://127.0.0.1:3939"` | Connect server URL for nameservice module. |
 | nodeSelector | object | `{}` | A map used verbatim as the pod's "nodeSelector" definition |
 | pod.affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition |
 | pod.annotations | object | `{}` | Additional annotations to add to the rstudio-connect pods |

charts/rstudio-connect/prestart.bash

@@ -2,9 +2,7 @@
 set -o errexit
 set -o pipefail
 
-main() {
-  local startup_script="${1:-/usr/local/bin/startup.sh}"
-
+kubernetes_health_check() {
   local cacert='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
   local k8s_url="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"
 
@@ -18,6 +16,50 @@ main() {
     --cacert "${cacert}" \
     "${k8s_url}/healthz" 2>&1 | _indent
   printf '\n'
+}
+
+configure_nameservice_module() {
+  # Check if NSS Connect config file exists (mounted as a secret)
+  if [[ ! -f "/etc/libnss_connect.conf" ]]; then
+    _logf 'Nameservice config not found at /etc/libnss_connect.conf. Skipping nameservice setup'
+    return 0
+  fi
+
+  _logf 'Found /etc/libnss_connect.conf mounted from secret'
+  _logf 'Configuring nameservice module'
+
+  cp /etc/nsswitch.conf /etc/nsswitch.conf.backup
+
+  # Ensure required lines exist in nsswitch.conf
+  # Default to 'files' which matches glibc's implicit default when a line is missing
+  for db in passwd group initgroups; do
+    grep -q "^${db}:" /etc/nsswitch.conf || echo "${db}: files" >> /etc/nsswitch.conf
+  done
+
+  # Add 'connect' module to each line
+  sed -i \
+    -e '/^passwd:/ { /connect/! s/$/ connect/ }' \
+    -e '/^group:/ { /connect/! s/$/ connect/ }' \
+    -e '/^initgroups:/ { /connect/! s/$/ connect/ }' \
+    /etc/nsswitch.conf
+
+  _logf 'Updated /etc/nsswitch.conf with connect module'
+
+  # Run the nameservice activation script
+  if [[ -x "/opt/rstudio-connect/extras/nameservice/activate-nameservice.sh" ]]; then
+    /opt/rstudio-connect/extras/nameservice/activate-nameservice.sh
+  else
+    _logf 'WARNING: nameservice activation script not found or not executable'
+  fi
+
+  printf '\n'
+}
+
+main() {
+  local startup_script="${1:-/usr/local/bin/startup.sh}"
+
+  kubernetes_health_check
+  configure_nameservice_module
 
   _logf 'Replacing process with %s' "${startup_script}"
   exec "${startup_script}"

charts/rstudio-connect/templates/deployment.yaml

@@ -219,6 +219,12 @@ spec:
             {{- end }}
           {{- end }}
           {{ include "rstudio-library.license-mount" (dict "license" ( .Values.license )) | indent 10 }}
+          {{- if .Values.nameservice.enabled }}
+          - name: nameservice-config
+            mountPath: "/etc/libnss_connect.conf"
+            subPath: "libnss_connect.conf"
+            readOnly: true
+          {{- end }}
       {{- if .Values.pod.volumeMounts }}
           {{- toYaml .Values.pod.volumeMounts | nindent 10 }}
       {{- end }}
@@ -289,6 +295,15 @@ spec:
       {{- if .Values.pod.volumes }}
 {{ toYaml .Values.pod.volumes | indent 6 }}
       {{- end }}
+      {{- if .Values.nameservice.enabled }}
+      - name: nameservice-config
+        secret:
+          secretName: {{ .Values.nameservice.secretName | default (printf "%s-nameservice-config" (include "rstudio-connect.fullname" .)) }}
+          defaultMode: 0444
+          items:
+          - key: libnss_connect.conf
+            path: libnss_connect.conf
+      {{- end }}
       {{- if .Values.launcher.enabled }}
       {{- if .Values.launcher.useTemplates }}
       - name: rstudio-connect-templates

charts/rstudio-connect/templates/nameservice-secret.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.nameservice.enabled }}
+{{- $authProvider := "" }}
+{{- if hasKey .Values.config "Authentication" }}
+{{- if hasKey .Values.config.Authentication "Provider" }}
+{{- $authProvider = .Values.config.Authentication.Provider }}
+{{- end }}
+{{- end }}
+{{- $validProviders := list "oauth2" "saml" "ldap" }}
+{{- if not (has $authProvider $validProviders) }}
+{{- fail (printf "nameservice.enabled requires config.Authentication.Provider to be one of: %s. Current provider: '%s'" (join ", " $validProviders) $authProvider) }}
+{{- end }}
+{{- if and .Values.nameservice.secretName .Values.nameservice.apiKey }}
+{{- fail "nameservice.secretName and nameservice.apiKey cannot both be set. Use secretName to use an existing secret OR apiKey to create a new secret." }}
+{{- end }}
+{{- if and (not .Values.nameservice.secretName) (not .Values.nameservice.apiKey) }}
+{{- fail "When nameservice.enabled is true, either nameservice.secretName (for existing secret) or nameservice.apiKey (to create new secret) must be provided." }}
+{{- end }}
+{{- if not .Values.nameservice.secretName }}
+{{- $config := printf "CONNECT_API_KEY=%s\nCONNECT_SERVER=%s" .Values.nameservice.apiKey .Values.nameservice.server }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "rstudio-connect.fullname" . }}-nameservice-config
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "rstudio-connect.labels" . | nindent 4 }}
+type: Opaque
+data:
+  libnss_connect.conf: {{ $config | b64enc | quote }}
+{{- end }}
+{{- end }}