feat: improve Helm chart

[fernandezcuesta]

• Add extraInitContainers to celery+django deployments.
• Add extraEnv to all deployments
• Remove existing volume logic in favor of agnostic extraVolumes and extraVolumeMounts
• Add the ability to deploy secrets as regular (non-hooked) resources due to issues found with ArgoCD
• Make some secret references optional (secret might not be created)
• Fix optional secret mounts + reference
• Update bitnami chart reference (OCI)
• Bump up redis chart

---

Reasoning behind the logic change for volumes, with the existing behaviour we cannot mount projected volumes (e.g. a secret mount where we want the key names being renamed) or per-container volumeMounts (e.g. nginx emptyDir when readOnlyRootFs is enforced).

[dryrunsecurity]

This pull request introduces potential security risks related to optional cryptographic keys, sensitive secret exposure in initializer jobs, and configuration injection vulnerabilities in Helm templates, which could lead to information disclosure, weakened encryption, or potential privilege escalation if not properly managed.

Optional Critical Secrets in helm/defectdojo/templates/tests/unit-tests.yaml

Vulnerability	Optional Critical Secrets
Description	The patch adds optional: true to DD_SECRET_KEY and DD_CREDENTIAL_AES_256_KEY in unit tests. Making these critical cryptographic keys optional could lead to the application starting without proper encryption, potentially exposing sensitive data or weakening security mechanisms like session management and credential protection.

django-DefectDojo/helm/defectdojo/templates/tests/unit-tests.yaml

Lines 51 to 63 in fba0cd0

	secretKeyRef:
	name: {{ $fullName }}
	key: DD_SECRET_KEY
	optional: true
	- name: DD_CREDENTIAL_AES_256_KEY
	valueFrom:
	secretKeyRef:
	name: {{ $fullName }}
	key: DD_CREDENTIAL_AES_256_KEY
	optional: true
	resources:
	{{- toYaml .Values.tests.unitTests.resources | nindent 8 }}
	restartPolicy: Never

Sensitive Secret Exposure in helm/defectdojo/templates/initializer-job.yaml

Vulnerability	Sensitive Secret Exposure
Description	The patch adds a secret reference to {{ $fullName }}-extrasecrets in the initializer job, making environment variables from this secret available to containers. If this secret contains sensitive information like API keys or credentials, its exposure increases the risk of information disclosure, especially if the container or its logs are compromised.

django-DefectDojo/helm/defectdojo/templates/initializer-job.yaml

Lines 95 to 104 in fba0cd0

	- configMapRef:
	name: {{ $fullName }}
	- secretRef:
	name: {{ $fullName }}-extrasecrets
	optional: true
	env:
	{{- with .Values.initializer.extraEnv }}
	{{- toYaml . | nindent 8 }}
	{{- end }}
	resources:

Sensitive Secret Exposure in helm/defectdojo/templates/initializer-job.yaml

Vulnerability	Sensitive Secret Exposure
Description	The patch adds a secret reference to {{ $fullName }}-extrasecrets in the initializer job, making environment variables from this secret available to containers. If this secret contains sensitive information like API keys or credentials, its exposure increases the risk of information disclosure, especially if the container or its logs are compromised.

django-DefectDojo/helm/defectdojo/templates/initializer-job.yaml

Lines 130 to 144 in fba0cd0

	- configMapRef:
	name: {{ $fullName }}
	- secretRef:
	name: {{ $fullName }}-extrasecrets
	optional: true
	env:
	- name: DD_DATABASE_PASSWORD
	valueFrom:
	secretKeyRef:
	name: {{ .Values.postgresql.auth.existingSecret }}
	key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}
	{{- with .Values.initializer.extraEnv }}
	{{- toYaml . | nindent 8 }}
	{{- end }}
	resources:

Configuration Injection Risk in helm/defectdojo/values.yaml

Vulnerability	Configuration Injection Risk
Description	The patch introduces extraEnv, extraInitContainers, extraVolumeMounts, and extraVolumes configuration options. If these values are not properly validated, an attacker could inject malicious environment variables, mount unauthorized volumes, or run malicious init containers, potentially leading to privilege escalation or arbitrary code execution.

django-DefectDojo/helm/defectdojo/values.yaml

Lines 12 to 21 in fba0cd0

	# - enabled, enables tracking configuration changes based on SHA256
	# trackConfig: disabled
	# Avoid using pre-install hooks, which might cause issues with ArgoCD
	disableHooks: false
	extraLabels: {}
	# Add extra labels for k8s
	# Enables application network policy

---

All finding details can be found in the DryRun Security Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[valentijnscholten]

@fernandezcuesta Thanks for the PR, we'll ask some helm/k8s experienced devs to look at it. In the mean time could you look at the conflicts? Also this seems to be a bigger change, could you look at basing it against the dev branch

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[fernandezcuesta]

@valentijnscholten done, thanks for having a look at it! I also changed the base to dev branch.

[kiblik]

I will need more time for the rest (this is not my final review).

[kiblik]

TBH, this is a bit confusing for me. I'm using this chart, and 16.7.13 is automatically selected in the final template even though it is not pinned here. I want to look at this more.

[fernandezcuesta]

That was autogenerated after a helm dependency update IIRC but can roll it back

[kiblik]

This is a nice step. I like it.