From ec5dd85ae3ac84c63a05644abf83faaa4fe1a892 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Wed, 25 Jun 2025 13:39:42 +0200 Subject: [PATCH 01/11] **Summary:** - Add extraInitContainers to celery+django deployments. - Add extraEnv to all deployments - Remove existing volume logic in favor of agnostic extraVolumes and extraVolumeMounts - Fix optional secret mounts + reference - Update bitnami chart reference (OCI) - Bump up redis chart --- helm/defectdojo/Chart.lock | 12 +- helm/defectdojo/Chart.yaml | 6 +- helm/defectdojo/templates/_helpers.tpl | 2 +- .../templates/celery-beat-deployment.yaml | 42 ++--- .../templates/celery-worker-deployment.yaml | 40 ++-- helm/defectdojo/templates/configmap.yaml | 5 +- .../templates/django-deployment.yaml | 63 +++---- .../defectdojo/templates/initializer-job.yaml | 9 +- helm/defectdojo/values.yaml | 172 ++++++------------ 9 files changed, 137 insertions(+), 214 deletions(-) diff --git a/helm/defectdojo/Chart.lock b/helm/defectdojo/Chart.lock index 62ac0a762fa..b114b549ab0 100644 --- a/helm/defectdojo/Chart.lock +++ b/helm/defectdojo/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 16.7.0 + repository: oci://registry-1.docker.io/bitnamicharts + version: 16.7.13 - name: redis - repository: https://charts.bitnami.com/bitnami - version: 19.6.4 -digest: sha256:20147b5ef71e728a24b1ce410bfbc64885bb824bac17d75dc3ad49e9af5f1b01 -generated: "2025-05-08T15:21:14.221601771Z" + repository: oci://registry-1.docker.io/bitnamicharts + version: 21.2.5 +digest: sha256:e7440eab01608ec924098f92de7c077f43595776275ef6e96df6d2dc1b2156f4 +generated: "2025-06-25T13:39:17.038667777+02:00" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index ee07e3b07fa..e3bc1ac4883 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -11,9 +11,9 @@ maintainers: dependencies: - name: postgresql version: ~16.7.0 - repository: "https://charts.bitnami.com/bitnami" + repository: oci://registry-1.docker.io/bitnamicharts condition: postgresql.enabled - name: redis - version: ~19.6.0 - repository: "https://charts.bitnami.com/bitnami" + version: ~21.2.5 + repository: oci://registry-1.docker.io/bitnamicharts condition: redis.enabled diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index e709d3c5a30..e20e2fc3a8c 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -61,7 +61,7 @@ Create the name of the service account to use {{- if .Values.redis.enabled -}} {{- printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" -}} {{- else -}} -{{- printf "%s" (.Values.celery.brokerHost | default .Values.redis.redisServer) -}} +{{- .Values.celery.brokerHost }} {{- end -}} {{- end -}} {{- end -}} diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index fc96dc10c6c..a7d86f5d7f4 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -71,22 +71,16 @@ spec: configMap: name: {{ .Values.django.uwsgi.certificates.configName }} {{- end }} - {{- range .Values.celery.extraVolumes }} - - name: userconfig-{{ .name }} - {{ .type }}: - {{- if (eq .type "configMap") }} - name: {{ .name }} - {{- else if (eq .type "secret") }} - secretName: {{ .name }} - {{- else if (eq .type "hostPath") }} - type: {{ .pathType | default "Directory" }} - path: {{ .hostPath }} - {{- end }} + {{- with .Values.celery.beat.extraVolumes }} + {{- . | toYaml | nindent 6 }} {{- end }} - {{- if or .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled }} + {{- if coalesce .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled .Values.celery.beat.extraInitContainers }} initContainers: + {{- range .Values.celery.beat.extraInitContainers }} + - {{- . | toYaml | nindent 8 }} {{- end }} - {{- if .Values.cloudsql.enabled }} + {{- end }} + {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} @@ -115,6 +109,15 @@ spec: name: celery image: "{{ template "celery.repository" . }}:{{ .Values.tag }}" imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.celery.beat.livenessProbe }} + livenessProbe: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.celery.beat.readinessProbe }} + readinessProbe: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.celery.beat.startupProbe }} + startupProbe: {{ toYaml . | nindent 10 }} + {{- end }} {{- if .Values.securityContext.enabled }} securityContext: {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} @@ -128,15 +131,12 @@ spec: mountPath: /app/dojo/settings/local_settings.py subPath: file {{- end }} - {{- if .Values.django.uwsgi.certificates.enabled }} + {{- if .Values.django.uwsgi.certificates.enabled }} - name: cert-mount mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }} {{- end }} - {{- range .Values.celery.extraVolumes }} - - name: userconfig-{{ .name }} - readOnly: true - mountPath: {{ .path }} - subPath: {{ .subPath }} + {{- with .Values.celery.beat.extraVolumeMounts }} + {{- . | toYaml | nindent 8 }} {{- end }} envFrom: - configMapRef: @@ -162,8 +162,8 @@ spec: secretKeyRef: name: {{ $fullName }} key: DD_SECRET_KEY - {{- with .Values.extraEnv }} - {{- toYaml . | nindent 8 }} + {{- with .Values.celery.beat.extraEnv }} + {{- . | toYaml | nindent 8 }} {{- end }} resources: {{- toYaml .Values.celery.beat.resources | nindent 10 }} diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index 5fe9b562888..1f73d26e38c 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -69,20 +69,14 @@ spec: configMap: name: {{ .Values.django.uwsgi.certificates.configName }} {{- end }} - {{- range .Values.celery.extraVolumes }} - - name: userconfig-{{ .name }} - {{ .type }}: - {{- if (eq .type "configMap") }} - name: {{ .name }} - {{- else if (eq .type "secret") }} - secretName: {{ .name }} - {{- else if (eq .type "hostPath") }} - type: {{ .pathType | default "Directory" }} - path: {{ .hostPath }} - {{- end }} + {{- with .Values.celery.beat.extraVolumes }} + {{- . | toYaml | nindent 6 }} {{- end }} - {{- if or .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled }} + {{- if coalesce .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled .Values.celery.worker.extraInitContainers }} initContainers: + {{- range .Values.celery.worker.extraInitContainers }} + - {{- . | toYaml | nindent 8 }} + {{- end }} {{- end }} {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -111,13 +105,22 @@ spec: - name: celery image: "{{ template "celery.repository" . }}:{{ .Values.tag }}" imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.celery.worker.livenessProbe }} + livenessProbe: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.celery.worker.readinessProbe }} + readinessProbe: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.celery.worker.startupProbe }} + startupProbe: {{ toYaml . | nindent 10 }} + {{- end }} {{- if .Values.securityContext.enabled }} securityContext: {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} {{- end }} command: ['/entrypoint-celery-worker.sh'] volumeMounts: - {{- if .Values.localsettingspy }} + {{- if .Values.localsettingspy }} - name: localsettingspy readOnly: true mountPath: /app/dojo/settings/local_settings.py @@ -127,11 +130,8 @@ spec: - name: cert-mount mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }} {{- end }} - {{- range .Values.celery.extraVolumes }} - - name: userconfig-{{ .name }} - readOnly: true - mountPath: {{ .path }} - subPath: {{ .subPath }} + {{- with .Values.celery.worker.extraVolumeMounts }} + {{- . | toYaml | nindent 8 }} {{- end }} envFrom: - configMapRef: @@ -157,8 +157,8 @@ spec: secretKeyRef: name: {{ $fullName }} key: DD_SECRET_KEY - {{- with .Values.extraEnv }} - {{- toYaml . | nindent 8 }} + {{- with .Values.celery.worker.extraEnv }} + {{- . | toYaml | nindent 8 }} {{- end }} resources: {{- toYaml .Values.celery.worker.resources | nindent 10 }} diff --git a/helm/defectdojo/templates/configmap.yaml b/helm/defectdojo/templates/configmap.yaml index 74d516981c7..c804fe71c53 100644 --- a/helm/defectdojo/templates/configmap.yaml +++ b/helm/defectdojo/templates/configmap.yaml @@ -54,5 +54,6 @@ data: {{- if .Values.django.uwsgi.certificates.enabled }} REQUESTS_CA_BUNDLE: {{ .Values.django.uwsgi.certificates.certMountPath }}{{ .Values.django.uwsgi.certificates.certFileName }} {{- end }} -{{- with .Values.extraConfigs }} - {{- toYaml . | nindent 2 }}{{- end }} +{{- with .Values.extraConfigs }} + {{- toYaml . | nindent 2 }} +{{- end }} diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index 0f6d5fc0076..71b007521c0 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -24,8 +24,8 @@ spec: strategy: {{- toYaml . | nindent 4 }} {{- end }} - {{- if .Values.revisionHistoryLimit }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- with .Values.revisionHistoryLimit }} + revisionHistoryLimit: {{ . }} {{- end }} selector: matchLabels: @@ -61,9 +61,9 @@ spec: {{- end }} spec: serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} - {{- if .Values.imagePullSecrets }} + {{- with .Values.imagePullSecrets }} imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} + - name: {{ quote . }} {{- end }} {{- if .Values.django.mediaPersistentVolume.enabled }} securityContext: @@ -72,41 +72,34 @@ spec: volumes: - name: run emptyDir: {} - {{- if .Values.localsettingspy }} + {{- if .Values.localsettingspy }} - name: localsettingspy configMap: name: {{ $fullName }}-localsettingspy {{- end }} - {{- if .Values.django.uwsgi.certificates.enabled }} + {{- if .Values.django.uwsgi.certificates.enabled }} - name: cert-mount configMap: name: {{ .Values.django.uwsgi.certificates.configName }} {{- end }} - {{- range .Values.django.extraVolumes }} - - name: userconfig-{{ .name }} - {{ .type }}: - {{- if (eq .type "configMap") }} - name: {{ .name }} - {{- else if (eq .type "secret") }} - secretName: {{ .name }} - {{- else if (eq .type "hostPath") }} - type: {{ .pathType | default "Directory" }} - path: {{ .hostPath }} - {{- end }} + {{- with .Values.django.extraVolumes }} + {{- . | toYaml | nindent 6 }} {{- end }} {{- if .Values.django.mediaPersistentVolume.enabled }} - name: {{ .Values.django.mediaPersistentVolume.name }} - {{- if eq .Values.django.mediaPersistentVolume.type "pvc" }} + {{- if eq .Values.django.mediaPersistentVolume.type "pvc" }} persistentVolumeClaim: claimName: {{ include "django.pvc_name" $ }} {{ else }} emptyDir: {} {{- end }} {{- end }} - {{- if or .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled }} + {{- if coalesce .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled .Values.django.extraInitContainers }} initContainers: + {{- range .Values.django.extraInitContainers }} + - {{- . | toYaml | nindent 8 }} {{- end }} - {{- if .Values.cloudsql.enabled }} + {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} @@ -129,6 +122,7 @@ spec: {{- $newContext := merge . (dict "fullName" $fullName) }} {{- include "dbMigrationChecker" $newContext | nindent 6 }} {{- end }} + {{- end }} containers: {{- if and .Values.monitoring.enabled .Values.monitoring.prometheus.enabled }} - name: metrics @@ -157,23 +151,18 @@ spec: volumeMounts: - name: run mountPath: /run/defectdojo - {{- if .Values.localsettingspy }} + {{- if .Values.localsettingspy }} - name: localsettingspy readOnly: true mountPath: /app/dojo/settings/local_settings.py subPath: file {{- end }} - {{- if .Values.django.uwsgi.certificates.enabled }} + {{- if .Values.django.uwsgi.certificates.enabled }} - name: cert-mount mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }} {{- end }} - {{- range .Values.django.extraVolumes }} - {{- if (eq .container "uwsgi") }} - - name: userconfig-{{ .name }} - readOnly: true - mountPath: {{ .path }} - subPath: {{ .subPath }} - {{- end }} + {{- with .Values.django.uwsgi.extraVolumeMounts }} + {{- . | toYaml | nindent 8 }} {{- end }} {{- if .Values.django.mediaPersistentVolume.enabled }} - name: {{ .Values.django.mediaPersistentVolume.name }} @@ -220,8 +209,8 @@ spec: value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }} - name: DD_CSRF_COOKIE_SECURE value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }} - {{- with .Values.extraEnv }} - {{- toYaml . | nindent 8 }} + {{- with .Values.django.uwsgi.extraEnv }} + {{- . | toYaml | nindent 8 }} {{- end }} {{- if .Values.django.uwsgi.livenessProbe.enabled }} livenessProbe: @@ -249,13 +238,8 @@ spec: volumeMounts: - name: run mountPath: /run/defectdojo - {{- range .Values.django.extraVolumes }} - {{- if (eq .container "nginx") }} - - name: userconfig-{{ .name }} - readOnly: true - mountPath: {{ .path }} - subPath: {{ .subPath }} - {{- end }} + {{- with .Values.django.nginx.extraVolumeMounts }} + {{- . | toYaml | nindent 8 }} {{- end }} {{- if .Values.django.mediaPersistentVolume.enabled }} - name: {{ .Values.django.mediaPersistentVolume.name }} @@ -278,6 +262,9 @@ spec: value: '{{ .Values.django.nginx.tls.enabled }}' - name: GENERATE_TLS_CERTIFICATE value: '{{ .Values.django.nginx.tls.generateCertificate }}' + {{- with .Values.django.nginx.extraEnv }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- if .Values.django.uwsgi.livenessProbe.enabled }} livenessProbe: httpGet: diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index 223799bf444..9b245de8771 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -95,10 +95,10 @@ spec: - configMapRef: name: {{ $fullName }} - secretRef: - name: {{ $fullName }} + name: {{ $fullName }}-extrasecrets optional: true env: - {{- with .Values.extraEnv }} + {{- with .Values.initializer.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} resources: @@ -130,14 +130,15 @@ spec: - configMapRef: name: {{ $fullName }} - secretRef: - name: {{ $fullName }} + name: {{ $fullName }}-extrasecrets + optional: true env: - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: name: {{ .Values.postgresql.auth.existingSecret }} key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey }} - {{- with .Values.extraEnv }} + {{- with .Values.initializer.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} resources: diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index c453385fa59..4b420dd87fe 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -12,7 +12,7 @@ createPostgresqlSecret: false # - enabled, enables tracking configuration changes based on SHA256 # trackConfig: disabled -# extraLabels: {} +extraLabels: {} # Add extra labels for k8s # Enables application network policy @@ -64,7 +64,7 @@ imagePullPolicy: Always repositoryPrefix: defectdojo # When using a private registry, name of the secret that holds the registry secret (eg deploy token from gitlab-ci project) # Create secrets as: kubectl create secret docker-registry defectdojoregistrykey --docker-username=registry_username --docker-password=registry_password --docker-server='https://index.docker.io/v1/' -# imagePullSecrets: defectdojoregistrykey +imagePullSecrets: ~ tag: latest # Additional labels to add to the pods: @@ -73,7 +73,7 @@ tag: latest podLabels: {} # Allow overriding of revisionHistoryLimit across all deployments. -# revisionHistoryLimit: 10 +revisionHistoryLimit: 10 securityContext: enabled: true @@ -152,6 +152,15 @@ celery: beat: annotations: {} affinity: {} + # Additional environment variables injected to Celery beat containers. + extraEnv: [] + # A list of additional initContainers to run before celery beat containers. + extraInitContainers: [] + # Array of additional volume mount points for the celery beat containers. + extraVolumeMounts: [] + # A list of extra volumes to mount + # @type: array + extraVolumes: [] nodeSelector: {} replicas: 1 resources: @@ -165,6 +174,15 @@ celery: worker: annotations: {} affinity: {} + # Additional environment variables injected to Celery worker containers. + extraEnv: [] + # A list of additional initContainers to run before celery worker containers. + extraInitContainers: [] + # Array of additional volume mount points for the celery worker containers. + extraVolumeMounts: [] + # A list of extra volumes to mount. + # @type: array + extraVolumes: [] nodeSelector: {} replicas: 1 resources: @@ -185,39 +203,6 @@ celery: # concurrency: 8 # prefetchMultiplier: 128 - # A list of extra volumes to mount. This - # is useful for bringing in extra data that can be referenced by other configurations - # at a well known path, such as local_settings. The - # value of this should be a list of objects. - # - # Example: - # - # ```yaml - # extraVolumes: - # - type: configMap - # name: local_settings - # path: /app/dojo/settings/local_settings.py - # subPath: local_settings.py - # - type: hostPath - # name: host_directory - # path: /tmp - # hostPath: /tmp - # ``` - # - # Each object supports the following keys: - # - # - `type` - Type of the volume, must be one of "configMap", "secret", "hostPath". Case sensitive. - # Even is supported we are highly recommending to avoid hostPath for security reasons (usually blocked by PSP) - # - `name` - Name of the configMap or secret to be mounted. This also controls - # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. - # - `path` - defines where file should be exposed - # - `subPath` - extracts only particular file from secret or configMap - # - `pathType` - only for hostPath, can be one of the "DirectoryOrCreate", "Directory" (default), "FileOrCreate", - # "File", "Socket", "CharDevice", "BlockDevice" - # - `hostPath` - only for hostPath, file or directory from local host - # @type: array - extraVolumes: [] - django: annotations: {} service: @@ -236,6 +221,16 @@ django: # nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" # nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" nginx: + # To extra environment variables to the nginx container, you can use extraEnv. For example: + # extraEnv: + # - name: FOO + # valueFrom: + # configMapKeyRef: + # name: foo + # key: bar + extraEnv: [] + # Array of additional volume mount points for nginx containers. + extraVolumeMounts: [] tls: enabled: false generateCertificate: false @@ -251,6 +246,17 @@ django: strategy: {} tolerations: [] uwsgi: + # To add (or override) extra variables which need to be pulled from another configMap, you can + # use extraEnv. For example: + # extraEnv: + # - name: DD_DATABASE_HOST + # valueFrom: + # configMapKeyRef: + # name: my-other-postgres-configmap + # key: cluster_endpoint + extraEnv: [] + # Array of additional volume mount points for uwsgi containers. + extraVolumeMounts: [] livenessProbe: # Enable liveness checks on uwsgi container. enabled: true @@ -289,47 +295,16 @@ django: enableDebug: false # this also requires DD_DEBUG to be set to True certificates: # includes additional CA certificate as volume, it refrences REQUESTS_CA_BUNDLE env varible - # to create configMap `kubectl create cm defectdojo-ca-certs --from-file=ca.crt` + # to create configMap `kubectl create cm defectdojo-ca-certs --from-file=ca.crt` # NOTE: it reflects REQUESTS_CA_BUNDLE for celery workers, beats as well enabled: false configName: defectdojo-ca-certs certMountPath: /certs/ certFileName: ca.crt - # A list of extra volumes to mount. This - # is useful for bringing in extra data that can be referenced by other configurations - # at a well known path, such as local_settings. The - # value of this should be a list of objects. - # - # Example: - # - # ```yaml - # extraVolumes: - # - type: configMap - # name: local_settings - # path: /app/dojo/settings/local_settings.py - # container: uwsgi - # subPath: local_settings.py - # - type: hostPath - # name: host_directory - # path: /app/dojo/settings/ - # hostPath: /var/run - # container: uwsgi - # ``` - # - # Each object supports the following keys: - # - # - `type` - Type of the volume, must be one of "configMap", "secret", "hostPath". Case sensitive. - # Even is supported we are highly recommending to avoid hostPath for security reasons (usually blocked by PSP) - # - `name` - Name of the configMap or secret to be mounted. This also controls - # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. - # - `path` - defines where file should be exposed - # - `container` - defines where volume needs to be mounted, must be uwsgi or nginx - # - `subPath` - extracts only particular file from secret or configMap - # - `pathType` - only for hostPath, can be one of the "DirectoryOrCreate", "Directory" (default), "FileOrCreate", - # "File", "Socket", "CharDevice", "BlockDevice" - # - `hostPath` - only for hostPath, file or directory from local host - # @type: array + # A list of additional initContainers to run before the uwsgi and nginx containers. + extraInitContainers: [] + # A list of extra volumes to mount. extraVolumes: [] # This feature needs more preparation before can be enabled, please visit KUBERNETES.md#media-persistent-volume @@ -358,6 +333,7 @@ initializer: keepSeconds: 60 # A positive integer will keep this Job and Pod deployed for the specified number of seconds, after which they will be removed. For all other values, the Job and Pod will remain deployed. affinity: {} nodeSelector: {} + tolerations: [] resources: requests: cpu: 100m @@ -365,38 +341,11 @@ initializer: limits: cpu: 2000m memory: 512Mi - - # A list of extra volumes to mount. This - # is useful for bringing in extra data that can be referenced by other configurations - # at a well known path, such as local_settings. The - # value of this should be a list of objects. - # - # Example: - # - # ```yaml - # extraVolumes: - # - type: configMap - # name: local_settings - # path: /app/dojo/settings/local_settings.py - # subPath: local_settings.py - # - type: hostPath - # name: host_directory - # path: /tmp - # hostPath: /tmp - # ``` - # - # Each object supports the following keys: - # - # - `type` - Type of the volume, must be one of "configMap", "secret", "hostPath". Case sensitive. - # Even is supported we are highly recommending to avoid hostPath for security reasons (usually blocked by PSP) - # - `name` - Name of the configMap or secret to be mounted. This also controls - # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. - # - `path` - defines where file should be exposed - # - `subPath` - extracts only particular file from secret or configMap - # - `pathType` - only for hostPath, can be one of the "DirectoryOrCreate", "Directory" (default), "FileOrCreate", - # "File", "Socket", "CharDevice", "BlockDevice" - # - `hostPath` - only for hostPath, file or directory from local host - # @type: array + # Additional environment variables injected to the initializer job pods. + extraEnv: [] + # Array of additional volume mount points for the initializer job pods. + extraVolumeMounts: [] + # A list of extra volumes to mount. extraVolumes: [] # staticName defines whether name of the job will be the same (e.g., "defectdojo-initializer") @@ -480,19 +429,13 @@ gke: # For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/master/bitnami/redis redis: + # To use an external Redis instance, set enabled to false and set the address in .Values.celery.brokerHost enabled: true - scheme: "redis" - transportEncryption: - enabled: false - params: '' auth: existingSecret: defectdojo-redis-specific existingSecretPasswordKey: redis-password password: "" architecture: standalone - # To use an external Redis instance, set enabled to false and uncomment - # the line below: - # redisServer: myrediscluster # To use a different port for Redis (default: 6379) add a port number and uncomment the lines below: # master: # service: @@ -512,15 +455,6 @@ redis: # DD_SOCIAL_AUTH_AUTH0_SECRET: 'xxx' extraConfigs: {} -# To add (or override) extra variables which need to be pulled from another configMap, you can -# use extraEnv. For example: -# extraEnv: -# - name: DD_DATABASE_HOST -# valueFrom: -# configMapKeyRef: -# name: my-other-postgres-configmap -# key: cluster_endpoint - # To add code snippet which would extend setting functionality, you might add it here # It will be stored as ConfigMap and mounted `dojo/settings/local_settings.py`. # For more see: https://documentation.defectdojo.com/getting_started/configuration/ From 475ed17ce3e080137093a7a0877af6d7ea59450b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Wed, 25 Jun 2025 13:51:09 +0200 Subject: [PATCH 02/11] chore: add livenessProbe entries for celery --- helm/defectdojo/Chart.yaml | 2 +- helm/defectdojo/values.yaml | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index e3bc1ac4883..c1ce5f87b36 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "2.47.3" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.193 +version: 1.6.194 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 4b420dd87fe..fc3160d2a70 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -161,6 +161,16 @@ celery: # A list of extra volumes to mount # @type: array extraVolumes: [] + # Enable liveness probe for Celery beat container. + livenessProbe: {} + # exec: + # command: + # - bash + # - -c + # - celery -A dojo inspect ping -t 5 + # initialDelaySeconds: 30 + # periodSeconds: 60 + # timeoutSeconds: 10 nodeSelector: {} replicas: 1 resources: @@ -183,6 +193,16 @@ celery: # A list of extra volumes to mount. # @type: array extraVolumes: [] + # Enable liveness probe for Celery worker containers. + livenessProbe: {} + # exec: + # command: + # - bash + # - -c + # - celery -A dojo inspect ping -t 5 + # initialDelaySeconds: 30 + # periodSeconds: 60 + # timeoutSeconds: 10 nodeSelector: {} replicas: 1 resources: From 6b18b9699aae01947331f9499f94e9f400195a6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Thu, 26 Jun 2025 08:27:38 +0200 Subject: [PATCH 03/11] fix: reference to removed field --- helm/defectdojo/templates/_helpers.tpl | 6 +++--- helm/defectdojo/templates/configmap.yaml | 2 +- helm/defectdojo/values.yaml | 4 +++- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index e20e2fc3a8c..8883403f1bb 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -61,7 +61,7 @@ Create the name of the service account to use {{- if .Values.redis.enabled -}} {{- printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" -}} {{- else -}} -{{- .Values.celery.brokerHost }} +{{ .Values.celery.brokerHost }} {{- end -}} {{- end -}} {{- end -}} @@ -71,9 +71,9 @@ Create the name of the service account to use */}} {{- define "redis.scheme" -}} {{- if eq .Values.celery.broker "redis" -}} -{{- if .Values.redis.transportEncryption.enabled -}} +{{- if .Values.redis.tls.enabled -}} {{- printf "rediss" -}} -{{- else if eq .Values.redis.scheme "sentinel" -}} +{{- else if .Values.redis.sentinel.enabled -}} {{- printf "sentinel" -}} {{- else -}} {{- printf "redis" -}} diff --git a/helm/defectdojo/templates/configmap.yaml b/helm/defectdojo/templates/configmap.yaml index c804fe71c53..f796fd6e556 100644 --- a/helm/defectdojo/templates/configmap.yaml +++ b/helm/defectdojo/templates/configmap.yaml @@ -28,7 +28,7 @@ data: DD_CELERY_BROKER_USER: '' DD_CELERY_BROKER_HOST: {{ if eq .Values.celery.broker "redis" }}{{ template "redis.hostname" . }}{{ end }} DD_CELERY_BROKER_PORT: '{{ if eq .Values.celery.broker "redis" }}{{- if ( hasKey .Values.redis "master" ) -}}{{ .Values.redis.master.service.ports.redis }}{{ else }}6379{{ end }}{{- end -}}' - DD_CELERY_BROKER_PARAMS: '{{ if eq .Values.celery.broker "redis" }}{{- if .Values.redis.transportEncryption.enabled -}}{{ .Values.redis.transportEncryption.params | default "ssl_cert_reqs=optional" }}{{ end }}{{ end }}' + DD_CELERY_BROKER_PARAMS: '{{ if eq .Values.celery.broker "redis" }}{{- if .Values.redis.tls.enabled -}}{{ .Values.celery.brokerParams | default "ssl_cert_reqs=optional" }}{{ end }}{{ end }}' DD_CELERY_BROKER_PATH: '{{ .Values.celery.path | default "//" }}' DD_CELERY_LOG_LEVEL: {{ .Values.celery.logLevel }} DD_CELERY_WORKER_POOL_TYPE: {{ .Values.celery.worker.appSettings.poolType | default "solo" }} diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index fc3160d2a70..120ee12bd11 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -147,6 +147,8 @@ celery: broker: redis # To use an external celery broker, set the hostname here brokerHost: "" + # Parameters attached to the broker URL, defaults to "ssl_cert_reqs=optional" if redis.tls.enabled + brokerParams: "" logLevel: INFO annotations: {} beat: @@ -447,7 +449,7 @@ gke: # Only works with serviceAccount.create = true workloadIdentityEmail: "" -# For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/master/bitnami/redis +# For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/redis redis: # To use an external Redis instance, set enabled to false and set the address in .Values.celery.brokerHost enabled: true From 4165ca876402728ef1e7577cb47a4fef277ec254 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Thu, 26 Jun 2025 08:28:40 +0200 Subject: [PATCH 04/11] fix: conflict --- helm/defectdojo/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index c1ce5f87b36..88cfee2009e 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "2.47.3" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.194 +version: 1.6.194-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From cbf87786c333ec9dde4fabccc69a7916c7d43f91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Thu, 26 Jun 2025 08:32:39 +0200 Subject: [PATCH 05/11] chore: add reference to upstream chart --- helm/defectdojo/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 120ee12bd11..cf1ca709c7e 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -375,6 +375,7 @@ initializer: # This might be handy for ArgoCD deployments staticName: false +# For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/postgresql postgresql: enabled: true auth: From 67d634825764903059e797aaf01428cfad659947 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Thu, 26 Jun 2025 08:44:53 +0200 Subject: [PATCH 06/11] fix: missing default values from upstream chart used in templates --- helm/defectdojo/values.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index cf1ca709c7e..ef4bdf9124b 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -464,6 +464,17 @@ redis: # service: # ports: # redis: xxxx + # Sentinel configuration parameters + sentinel: + enabled: false + # If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates + # from an existing secret. + tls: + enabled: false + # existingSecret: redis-tls + # certFilename: tls.crt + # certKeyFilename: tls.key + # certCAFilename: ca.crt # To add extra variables not predefined by helm config it is possible to define in extraConfigs block, e.g. below: # NOTE Do not store any kind of sensitive information inside of it From b34e8338123e71e67c1998384df952289283e75f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Thu, 26 Jun 2025 08:46:53 +0200 Subject: [PATCH 07/11] chore: rephrase --- helm/defectdojo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index ef4bdf9124b..88c2336619e 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -452,7 +452,7 @@ gke: # For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/redis redis: - # To use an external Redis instance, set enabled to false and set the address in .Values.celery.brokerHost + # To use an external Redis instance, switch enabled to false and set the address in .Values.celery.brokerHost enabled: true auth: existingSecret: defectdojo-redis-specific From 330a1273d7f67c0efb4fccde49b8b63c12ad057f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Thu, 26 Jun 2025 16:24:35 +0200 Subject: [PATCH 08/11] feat: allow deploy secret as regular non-hooked resources --- helm/defectdojo/templates/celery-beat-deployment.yaml | 1 + helm/defectdojo/templates/celery-worker-deployment.yaml | 1 + helm/defectdojo/templates/django-deployment.yaml | 2 ++ helm/defectdojo/templates/sa.yaml | 2 ++ helm/defectdojo/templates/secret-postgresql.yaml | 2 ++ helm/defectdojo/templates/secret-redis.yaml | 2 ++ helm/defectdojo/templates/secret.yaml | 2 ++ helm/defectdojo/templates/tests/unit-tests.yaml | 2 ++ helm/defectdojo/values.yaml | 5 ++++- 9 files changed, 18 insertions(+), 1 deletion(-) diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index a7d86f5d7f4..dd84020ca37 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -162,6 +162,7 @@ spec: secretKeyRef: name: {{ $fullName }} key: DD_SECRET_KEY + optional: true {{- with .Values.celery.beat.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index 1f73d26e38c..79116e49bf3 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -157,6 +157,7 @@ spec: secretKeyRef: name: {{ $fullName }} key: DD_SECRET_KEY + optional: true {{- with .Values.celery.worker.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index 71b007521c0..de815381a01 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -200,11 +200,13 @@ spec: secretKeyRef: name: {{ $fullName }} key: DD_SECRET_KEY + optional: true - name: DD_CREDENTIAL_AES_256_KEY valueFrom: secretKeyRef: name: {{ $fullName }} key: DD_CREDENTIAL_AES_256_KEY + optional: true - name: DD_SESSION_COOKIE_SECURE value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }} - name: DD_CSRF_COOKIE_SECURE diff --git a/helm/defectdojo/templates/sa.yaml b/helm/defectdojo/templates/sa.yaml index 2c6b166510c..4345da6360a 100644 --- a/helm/defectdojo/templates/sa.yaml +++ b/helm/defectdojo/templates/sa.yaml @@ -15,9 +15,11 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} annotations: + {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" + {{- end }} {{- with .Values.annotations }} {{ toYaml . | nindent 4 }} {{- end }} diff --git a/helm/defectdojo/templates/secret-postgresql.yaml b/helm/defectdojo/templates/secret-postgresql.yaml index 979e4d75c9c..12924bb29c5 100644 --- a/helm/defectdojo/templates/secret-postgresql.yaml +++ b/helm/defectdojo/templates/secret-postgresql.yaml @@ -12,9 +12,11 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} annotations: + {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" + {{- end }} {{- with .Values.secrets.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/helm/defectdojo/templates/secret-redis.yaml b/helm/defectdojo/templates/secret-redis.yaml index 35abc641fe9..f6d102c2513 100644 --- a/helm/defectdojo/templates/secret-redis.yaml +++ b/helm/defectdojo/templates/secret-redis.yaml @@ -12,9 +12,11 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} annotations: + {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" + {{- end }} {{- with .Values.secrets.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/helm/defectdojo/templates/secret.yaml b/helm/defectdojo/templates/secret.yaml index e09dad92244..c3a3c56f6c4 100644 --- a/helm/defectdojo/templates/secret.yaml +++ b/helm/defectdojo/templates/secret.yaml @@ -13,9 +13,11 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} annotations: + {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" + {{- end }} {{- with .Values.secrets.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/helm/defectdojo/templates/tests/unit-tests.yaml b/helm/defectdojo/templates/tests/unit-tests.yaml index 252c92090e5..28ade7f2942 100644 --- a/helm/defectdojo/templates/tests/unit-tests.yaml +++ b/helm/defectdojo/templates/tests/unit-tests.yaml @@ -51,11 +51,13 @@ spec: secretKeyRef: name: {{ $fullName }} key: DD_SECRET_KEY + optional: true - name: DD_CREDENTIAL_AES_256_KEY valueFrom: secretKeyRef: name: {{ $fullName }} key: DD_CREDENTIAL_AES_256_KEY + optional: true resources: {{- toYaml .Values.tests.unitTests.resources | nindent 8 }} restartPolicy: Never diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 88c2336619e..e72469e8c37 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -1,4 +1,4 @@ ---- + --- # Global settings # create defectdojo specific secret createSecret: false @@ -12,6 +12,9 @@ createPostgresqlSecret: false # - enabled, enables tracking configuration changes based on SHA256 # trackConfig: disabled +# Avoid using pre-install hooks, which might cause issues with ArgoCD +disableHooks: false + extraLabels: {} # Add extra labels for k8s From b474297b646e7c3547cbf71e158e540208d32fca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Mon, 30 Jun 2025 09:19:59 +0200 Subject: [PATCH 09/11] fix: review --- helm/defectdojo/Chart.yaml | 4 ++-- .../templates/celery-beat-deployment.yaml | 13 +++++++------ .../templates/celery-worker-deployment.yaml | 11 ++++++----- helm/defectdojo/templates/django-deployment.yaml | 14 +++++++++----- helm/defectdojo/values.yaml | 11 ++++++++++- 5 files changed, 34 insertions(+), 19 deletions(-) diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 88cfee2009e..eadfb4d6519 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "2.47.3" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.194-dev +version: 1.6.193 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap @@ -14,6 +14,6 @@ dependencies: repository: oci://registry-1.docker.io/bitnamicharts condition: postgresql.enabled - name: redis - version: ~21.2.5 + version: ~19.6.0 repository: oci://registry-1.docker.io/bitnamicharts condition: redis.enabled diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index dd84020ca37..15a29117aa4 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -11,14 +11,12 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} -{{- if .Values.celery.annotations }} + {{- with .Values.celery.worker.annotations }} annotations: -{{- with .Values.celery.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.celery.beat.replicas }} {{- if .Values.revisionHistoryLimit }} @@ -163,6 +161,9 @@ spec: name: {{ $fullName }} key: DD_SECRET_KEY optional: true + {{- with .Values.extraEnv }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.celery.beat.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index 79116e49bf3..ff97726452d 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -13,12 +13,10 @@ metadata: {{- with .Values.extraLabels }} {{- toYaml . | nindent 4 }} {{- end }} -{{- if .Values.celery.annotations }} + {{- with .Values.celery.worker.annotations }} annotations: -{{- with .Values.celery.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.celery.worker.replicas }} {{- if .Values.revisionHistoryLimit }} @@ -158,6 +156,9 @@ spec: name: {{ $fullName }} key: DD_SECRET_KEY optional: true + {{- with .Values.extraEnv }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.celery.worker.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index de815381a01..fb77e8f7e88 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -12,12 +12,10 @@ metadata: {{- with .Values.extraLabels }} {{- toYaml . | nindent 4 }} {{- end }} -{{- if .Values.django.annotations }} + {{- with .Values.django.annotations }} annotations: -{{- with .Values.django.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.django.replicas }} {{- with .Values.django.strategy }} @@ -211,6 +209,9 @@ spec: value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }} - name: DD_CSRF_COOKIE_SECURE value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }} + {{- with .Values.extraEnv }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.uwsgi.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} @@ -264,6 +265,9 @@ spec: value: '{{ .Values.django.nginx.tls.enabled }}' - name: GENERATE_TLS_CERTIFICATE value: '{{ .Values.django.nginx.tls.generateCertificate }}' + {{- with .Values.extraEnv }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.nginx.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index e72469e8c37..a2a469dc182 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -1,4 +1,4 @@ - --- +--- # Global settings # create defectdojo specific secret createSecret: false @@ -492,6 +492,15 @@ redis: # DD_SOCIAL_AUTH_AUTH0_SECRET: 'xxx' extraConfigs: {} +# To add (or override) extra variables which need to be pulled from another configMap, you can +# use extraEnv. For example: +# extraEnv: +# - name: DD_DATABASE_HOST +# valueFrom: +# configMapKeyRef: +# name: my-other-postgres-configmap +# key: cluster_endpoint + # To add code snippet which would extend setting functionality, you might add it here # It will be stored as ConfigMap and mounted `dojo/settings/local_settings.py`. # For more see: https://documentation.defectdojo.com/getting_started/configuration/ From 5c2f804f87ae7ba8d53aac25116fdc1f98077a5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Mon, 30 Jun 2025 09:23:23 +0200 Subject: [PATCH 10/11] chore: restore Chart.lock --- helm/defectdojo/Chart.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/defectdojo/Chart.lock b/helm/defectdojo/Chart.lock index b114b549ab0..d1a4743c13c 100644 --- a/helm/defectdojo/Chart.lock +++ b/helm/defectdojo/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 16.7.13 + version: 16.7.14 - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 21.2.5 -digest: sha256:e7440eab01608ec924098f92de7c077f43595776275ef6e96df6d2dc1b2156f4 -generated: "2025-06-25T13:39:17.038667777+02:00" + version: 19.6.4 +digest: sha256:643ede898fbea90b5438d024ce7e58fd07e08d0cc2fd32c8a41283317fbff308 +generated: "2025-06-30T09:23:03.061189845+02:00" From fba0cd079078b5b8904e608f1bf8cdcfac9324d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Wed, 2 Jul 2025 08:01:00 +0200 Subject: [PATCH 11/11] chore: update chart.lock --- helm/defectdojo/Chart.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helm/defectdojo/Chart.lock b/helm/defectdojo/Chart.lock index d1a4743c13c..c1c3d4620b8 100644 --- a/helm/defectdojo/Chart.lock +++ b/helm/defectdojo/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 16.7.14 + version: 16.7.15 - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 19.6.4 -digest: sha256:643ede898fbea90b5438d024ce7e58fd07e08d0cc2fd32c8a41283317fbff308 -generated: "2025-06-30T09:23:03.061189845+02:00" +digest: sha256:b7190cec386cfc905413b0e7638bcafac0f6c19f1b0dc0b1bd768c09cf8dc295 +generated: "2025-07-02T07:45:06.165441283+02:00"