**Summary:**

- Add extraInitContainers to celery+django deployments.
- Add extraEnv to all deployments
- Remove existing volume logic in favor of agnostic extraVolumes and extraVolumeMounts
- Fix optional secret mounts + reference
- Update bitnami chart reference (OCI)
- Bump up redis chart

Author: fernandezcuesta

helm/defectdojo/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 16.7.0
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 16.7.13
 - name: redis
-  repository: https://charts.bitnami.com/bitnami
-  version: 19.6.4
-digest: sha256:20147b5ef71e728a24b1ce410bfbc64885bb824bac17d75dc3ad49e9af5f1b01
-generated: "2025-05-08T15:21:14.221601771Z"
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 21.2.5
+digest: sha256:e7440eab01608ec924098f92de7c077f43595776275ef6e96df6d2dc1b2156f4
+generated: "2025-06-25T13:39:17.038667777+02:00"

helm/defectdojo/Chart.yaml

@@ -11,9 +11,9 @@ maintainers:
 dependencies:
   - name: postgresql
     version: ~16.7.0
-    repository: "https://charts.bitnami.com/bitnami"
+    repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
   - name: redis
-    version: ~19.6.0
-    repository: "https://charts.bitnami.com/bitnami"
+    version: ~21.2.5
+    repository: oci://registry-1.docker.io/bitnamicharts
     condition: redis.enabled

helm/defectdojo/templates/_helpers.tpl

@@ -61,7 +61,7 @@ Create the name of the service account to use
 {{- if .Values.redis.enabled -}}
 {{- printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
-{{- printf "%s" (.Values.celery.brokerHost | default .Values.redis.redisServer) -}}
+{{- .Values.celery.brokerHost }}
 {{- end -}}
 {{- end -}}
 {{- end -}}

helm/defectdojo/templates/celery-beat-deployment.yaml

@@ -71,22 +71,16 @@ spec:
         configMap:
           name: {{ .Values.django.uwsgi.certificates.configName }}
       {{- end }}
-      {{- range .Values.celery.extraVolumes }}
-      - name: userconfig-{{ .name }}
-        {{ .type }}:
-          {{- if (eq .type "configMap") }}
-          name: {{ .name }}
-          {{- else if (eq .type "secret") }}
-          secretName: {{ .name }}
-          {{- else if (eq .type "hostPath") }}
-          type: {{ .pathType | default "Directory" }}
-          path: {{ .hostPath }}
-          {{- end }}
+      {{- with .Values.celery.beat.extraVolumes }}
+        {{- . | toYaml | nindent 6 }}
       {{- end }}
-      {{- if or .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled }}
+      {{- if coalesce .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled .Values.celery.beat.extraInitContainers }}
       initContainers:
+      {{- range .Values.celery.beat.extraInitContainers }}
+      - {{- . | toYaml | nindent 8 }}
       {{- end }}
-      {{- if .Values.cloudsql.enabled  }}
+      {{- end }}
+      {{- if .Values.cloudsql.enabled }}
       - name: cloudsql-proxy
         image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
         imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
@@ -115,6 +109,15 @@ spec:
         name: celery
         image: "{{ template "celery.repository" . }}:{{ .Values.tag }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        {{- with .Values.celery.beat.livenessProbe }}
+        livenessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.beat.readinessProbe }}
+        readinessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.beat.startupProbe }}
+        startupProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
         {{- if .Values.securityContext.enabled }}
         securityContext:
           {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }}
@@ -128,15 +131,12 @@ spec:
           mountPath: /app/dojo/settings/local_settings.py
           subPath: file
         {{- end }}
-        {{- if  .Values.django.uwsgi.certificates.enabled }}
+        {{- if .Values.django.uwsgi.certificates.enabled }}
         - name: cert-mount
           mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }}
         {{- end }}
-        {{- range .Values.celery.extraVolumes }}
-        - name: userconfig-{{ .name }}
-          readOnly: true
-          mountPath: {{ .path }}
-          subPath: {{ .subPath }}
+        {{- with .Values.celery.beat.extraVolumeMounts }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         envFrom:
         - configMapRef:
@@ -162,8 +162,8 @@ spec:
             secretKeyRef:
               name: {{ $fullName }}
               key: DD_SECRET_KEY
-        {{- with .Values.extraEnv }}
-          {{- toYaml . | nindent 8 }}
+        {{- with .Values.celery.beat.extraEnv }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         resources:
           {{- toYaml .Values.celery.beat.resources | nindent 10 }}

helm/defectdojo/templates/celery-worker-deployment.yaml

@@ -69,20 +69,14 @@ spec:
         configMap:
           name: {{ .Values.django.uwsgi.certificates.configName }}
       {{- end }}
-      {{- range .Values.celery.extraVolumes }}
-      - name: userconfig-{{ .name }}
-        {{ .type }}:
-          {{- if (eq .type "configMap") }}
-          name: {{ .name }}
-          {{- else if (eq .type "secret") }}
-          secretName: {{ .name }}
-          {{- else if (eq .type "hostPath") }}
-          type: {{ .pathType | default "Directory" }}
-          path: {{ .hostPath }}
-          {{- end }}
+      {{- with .Values.celery.beat.extraVolumes }}
+        {{- . | toYaml | nindent 6 }}
       {{- end }}
-      {{- if or .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled }}
+      {{- if coalesce .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled .Values.celery.worker.extraInitContainers }}
       initContainers:
+      {{- range .Values.celery.worker.extraInitContainers }}
+      - {{- . | toYaml | nindent 8 }}
+      {{- end }}
       {{- end }}
       {{- if .Values.cloudsql.enabled  }}
       - name: cloudsql-proxy
@@ -111,13 +105,22 @@ spec:
       - name: celery
         image: "{{ template "celery.repository" . }}:{{ .Values.tag }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        {{- with .Values.celery.worker.livenessProbe }}
+        livenessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.worker.readinessProbe }}
+        readinessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.worker.startupProbe }}
+        startupProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
         {{- if .Values.securityContext.enabled }}
         securityContext:
           {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }}
         {{- end }}
         command: ['/entrypoint-celery-worker.sh']
         volumeMounts:
-        {{- if  .Values.localsettingspy }}
+        {{- if .Values.localsettingspy }}
         - name: localsettingspy
           readOnly: true
           mountPath: /app/dojo/settings/local_settings.py
@@ -127,11 +130,8 @@ spec:
         - name: cert-mount
           mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }}
         {{- end }}
-        {{- range .Values.celery.extraVolumes }}
-        - name: userconfig-{{ .name }}
-          readOnly: true
-          mountPath: {{ .path }}
-          subPath: {{ .subPath }}
+        {{- with .Values.celery.worker.extraVolumeMounts }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         envFrom:
         - configMapRef:
@@ -157,8 +157,8 @@ spec:
             secretKeyRef:
               name: {{ $fullName }}
               key: DD_SECRET_KEY
-        {{- with .Values.extraEnv }}
-          {{- toYaml . | nindent 8 }}
+        {{- with .Values.celery.worker.extraEnv }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         resources:
           {{- toYaml .Values.celery.worker.resources | nindent 10 }}

helm/defectdojo/templates/configmap.yaml

@@ -54,5 +54,6 @@ data:
 {{- if  .Values.django.uwsgi.certificates.enabled }}
   REQUESTS_CA_BUNDLE: {{ .Values.django.uwsgi.certificates.certMountPath }}{{ .Values.django.uwsgi.certificates.certFileName }}
 {{- end }}
-{{- with .Values.extraConfigs  }}
-  {{- toYaml . | nindent 2 }}{{- end }}
+{{- with .Values.extraConfigs }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}

helm/defectdojo/templates/django-deployment.yaml

@@ -24,8 +24,8 @@ spec:
   strategy:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- if .Values.revisionHistoryLimit }}
-  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- with .Values.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ . }}
   {{- end }}
   selector:
     matchLabels:
@@ -61,9 +61,9 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ include "defectdojo.serviceAccountName" . }}
-      {{- if .Values.imagePullSecrets }}
+      {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
-      - name: {{ .Values.imagePullSecrets }}
+      - name: {{ quote . }}
       {{- end }}
       {{- if .Values.django.mediaPersistentVolume.enabled }}
       securityContext:
@@ -72,41 +72,34 @@ spec:
       volumes:
       - name: run
         emptyDir: {}
-      {{- if  .Values.localsettingspy }}
+      {{- if .Values.localsettingspy }}
       - name: localsettingspy
         configMap:
           name: {{ $fullName }}-localsettingspy
       {{- end }}
-      {{- if  .Values.django.uwsgi.certificates.enabled }}
+      {{- if .Values.django.uwsgi.certificates.enabled }}
       - name: cert-mount
         configMap:
           name: {{ .Values.django.uwsgi.certificates.configName }}
       {{- end }}
-      {{- range .Values.django.extraVolumes }}
-      - name: userconfig-{{ .name }}
-        {{ .type }}:
-          {{- if (eq .type "configMap") }}
-          name: {{ .name }}
-          {{- else if (eq .type "secret") }}
-          secretName: {{ .name }}
-          {{- else if (eq .type "hostPath") }}
-          type: {{ .pathType | default "Directory" }}
-          path: {{ .hostPath }}
-          {{- end }}
+      {{- with .Values.django.extraVolumes }}
+        {{- . | toYaml | nindent 6 }}
       {{- end }}
       {{- if .Values.django.mediaPersistentVolume.enabled }}
       - name: {{ .Values.django.mediaPersistentVolume.name }}
-        {{- if eq .Values.django.mediaPersistentVolume.type "pvc"  }}
+        {{- if eq .Values.django.mediaPersistentVolume.type "pvc" }}
         persistentVolumeClaim:
           claimName: {{ include "django.pvc_name" $ }}
         {{ else }}
         emptyDir: {}
         {{- end }}
       {{- end }}
-      {{- if or .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled }}
+      {{- if coalesce .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled .Values.django.extraInitContainers }}
       initContainers:
+      {{- range .Values.django.extraInitContainers }}
+      - {{- . | toYaml | nindent 8 }}
       {{- end }}
-      {{- if .Values.cloudsql.enabled  }}
+      {{- if .Values.cloudsql.enabled }}
       - name: cloudsql-proxy
         image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
         imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
@@ -129,6 +122,7 @@ spec:
       {{- $newContext := merge . (dict "fullName" $fullName) }}
       {{- include "dbMigrationChecker" $newContext | nindent 6 }}
       {{- end }}
+      {{- end }}
       containers:
       {{- if and .Values.monitoring.enabled .Values.monitoring.prometheus.enabled }}
       - name: metrics
@@ -157,23 +151,18 @@ spec:
         volumeMounts:
         - name: run
           mountPath: /run/defectdojo
-        {{- if  .Values.localsettingspy }}
+        {{- if .Values.localsettingspy }}
         - name: localsettingspy
           readOnly: true
           mountPath: /app/dojo/settings/local_settings.py
           subPath: file
         {{- end }}
-        {{- if  .Values.django.uwsgi.certificates.enabled }}
+        {{- if .Values.django.uwsgi.certificates.enabled }}
         - name: cert-mount
           mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }}
         {{- end }}
-        {{- range .Values.django.extraVolumes }}
-        {{- if (eq .container "uwsgi") }}
-        - name: userconfig-{{ .name }}
-          readOnly: true
-          mountPath: {{ .path }}
-          subPath: {{ .subPath }}
-        {{- end }}
+        {{- with .Values.django.uwsgi.extraVolumeMounts }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         {{- if .Values.django.mediaPersistentVolume.enabled }}
         - name: {{ .Values.django.mediaPersistentVolume.name }}
@@ -220,8 +209,8 @@ spec:
           value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }}
         - name: DD_CSRF_COOKIE_SECURE
           value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }}
-        {{- with .Values.extraEnv }}
-          {{- toYaml . | nindent 8 }}
+        {{- with .Values.django.uwsgi.extraEnv }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         {{- if .Values.django.uwsgi.livenessProbe.enabled }}
         livenessProbe:
@@ -249,13 +238,8 @@ spec:
         volumeMounts:
         - name: run
           mountPath: /run/defectdojo
-        {{- range .Values.django.extraVolumes }}
-        {{- if (eq .container "nginx") }}
-        - name: userconfig-{{ .name }}
-          readOnly: true
-          mountPath: {{ .path }}
-          subPath: {{ .subPath }}
-        {{- end }}
+        {{- with .Values.django.nginx.extraVolumeMounts }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         {{- if .Values.django.mediaPersistentVolume.enabled }}
         - name: {{ .Values.django.mediaPersistentVolume.name }}
@@ -278,6 +262,9 @@ spec:
           value: '{{ .Values.django.nginx.tls.enabled }}'
         - name: GENERATE_TLS_CERTIFICATE
           value: '{{ .Values.django.nginx.tls.generateCertificate }}'
+        {{- with .Values.django.nginx.extraEnv }}
+          {{- . | toYaml | nindent 8 }}
+        {{- end }}
         {{- if .Values.django.uwsgi.livenessProbe.enabled }}
         livenessProbe:
           httpGet:

helm/defectdojo/templates/initializer-job.yaml

@@ -95,10 +95,10 @@ spec:
         - configMapRef:
             name: {{ $fullName }}
         - secretRef:
-            name: {{ $fullName }}
+            name: {{ $fullName }}-extrasecrets
             optional: true
         env:
-        {{- with .Values.extraEnv }}
+        {{- with .Values.initializer.extraEnv }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         resources:
@@ -130,14 +130,15 @@ spec:
         - configMapRef:
             name: {{ $fullName }}
         - secretRef:
-            name: {{ $fullName }}
+            name: {{ $fullName }}-extrasecrets
+            optional: true
         env:
         - name: DD_DATABASE_PASSWORD
           valueFrom:
             secretKeyRef:
               name: {{ .Values.postgresql.auth.existingSecret }}
               key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}
-        {{- with .Values.extraEnv }}
+        {{- with .Values.initializer.extraEnv }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         resources: