diff --git a/docs/content/en/open_source/upgrading/2.52.md b/docs/content/en/open_source/upgrading/2.52.md index 2cc20c6b446..b15986e5228 100644 --- a/docs/content/en/open_source/upgrading/2.52.md +++ b/docs/content/en/open_source/upgrading/2.52.md @@ -2,6 +2,34 @@ title: 'Upgrading to DefectDojo Version 2.52.x' toc_hide: true weight: -20251006 -description: No special instructions. +description: Helm chart changes. --- -There are no special instructions for upgrading to 2.52.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.52.0) for the contents of the release. + +## Helm Chart Changes + +This release introduces more important changes to the Helm chart configuration: + +### Breaking changes + +#### Security context + +This Helm chart extends security context capabilities to all deployed pods and containers. +You can define a default pod and container security context globally using `securityContext.podSecurityContext` and `securityContext.containerSecurityContext` keys. +Additionally, each deployment can specify its own pod and container security contexts, which will override or merge with the global ones. + +#### Fine-grained resources + +Now each container can specify the resource requests and limits. + +#### Moved values + +The following Helm chart values have been modified in this release: + +- `securityContext.djangoSecurityContext` → deprecated in favor of container-specific security contexts (`celery.beat.containerSecurityContext`, `celery.worker.containerSecurityContext`, `django.uwsgi.containerSecurityContext` and `dbMigrationChecker.containerSecurityContext`) +- `securityContext.nginxSecurityContext` → deprecated in favor of container-specific security contexts (`django.nginx.containerSecurityContext`) + +### Other changes + +- **Extra annotations**: Now we can add common annotations to all resources. + +There are other instructions for upgrading to 2.52.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.52.0) for the contents of the release. diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 4ca6d85d2c8..fac1345d8c2 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -524,10 +524,11 @@ A Helm chart for Kubernetes to install DefectDojo | admin.password | string | `""` | | | admin.secretKey | string | `""` | | | admin.user | string | `"admin"` | | -| annotations | object | `{}` | | +| alternativeHosts | list | `[]` | | | celery.annotations | object | `{}` | | | celery.beat.affinity | object | `{}` | | | celery.beat.annotations | object | `{}` | | +| celery.beat.containerSecurityContext | object | `{}` | | | celery.beat.extraEnv | list | `[]` | | | celery.beat.extraInitContainers | list | `[]` | | | celery.beat.extraVolumeMounts | list | `[]` | | @@ -535,6 +536,7 @@ A Helm chart for Kubernetes to install DefectDojo | celery.beat.livenessProbe | object | `{}` | | | celery.beat.nodeSelector | object | `{}` | | | celery.beat.podAnnotations | object | `{}` | | +| celery.beat.podSecurityContext | object | `{}` | | | celery.beat.readinessProbe | object | `{}` | | | celery.beat.replicas | int | `1` | | | celery.beat.resources.limits.cpu | string | `"2000m"` | | @@ -548,6 +550,7 @@ A Helm chart for Kubernetes to install DefectDojo | celery.worker.affinity | object | `{}` | | | celery.worker.annotations | object | `{}` | | | celery.worker.appSettings.poolType | string | `"solo"` | | +| celery.worker.containerSecurityContext | object | `{}` | | | celery.worker.extraEnv | list | `[]` | | | celery.worker.extraInitContainers | list | `[]` | | | celery.worker.extraVolumeMounts | list | `[]` | | @@ -555,6 +558,7 @@ A Helm chart for Kubernetes to install DefectDojo | celery.worker.livenessProbe | object | `{}` | | | celery.worker.nodeSelector | object | `{}` | | | celery.worker.podAnnotations | object | `{}` | | +| celery.worker.podSecurityContext | object | `{}` | | | celery.worker.readinessProbe | object | `{}` | | | celery.worker.replicas | int | `1` | | | celery.worker.resources.limits.cpu | string | `"2000m"` | | @@ -563,18 +567,25 @@ A Helm chart for Kubernetes to install DefectDojo | celery.worker.resources.requests.memory | string | `"128Mi"` | | | celery.worker.startupProbe | object | `{}` | | | celery.worker.tolerations | list | `[]` | | +| cloudsql.containerSecurityContext | object | `{}` | | | cloudsql.enable_iam_login | bool | `false` | | | cloudsql.enabled | bool | `false` | | +| cloudsql.extraEnv | list | `[]` | | +| cloudsql.extraVolumeMounts | list | `[]` | | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | | | cloudsql.image.tag | string | `"1.37.9"` | | | cloudsql.instance | string | `""` | | +| cloudsql.resources | object | `{}` | | | cloudsql.use_private_ip | bool | `false` | | | cloudsql.verbose | bool | `true` | | | createPostgresqlSecret | bool | `false` | | | createRedisSecret | bool | `false` | | | createSecret | bool | `false` | | +| dbMigrationChecker.containerSecurityContext | object | `{}` | | | dbMigrationChecker.enabled | bool | `true` | | +| dbMigrationChecker.extraEnv | list | `[]` | | +| dbMigrationChecker.extraVolumeMounts | list | `[]` | | | dbMigrationChecker.resources.limits.cpu | string | `"200m"` | | | dbMigrationChecker.resources.limits.memory | string | `"200Mi"` | | | dbMigrationChecker.resources.requests.cpu | string | `"100m"` | | @@ -582,7 +593,9 @@ A Helm chart for Kubernetes to install DefectDojo | disableHooks | bool | `false` | | | django.affinity | object | `{}` | | | django.annotations | object | `{}` | | +| django.extraEnv | list | `[]` | | | django.extraInitContainers | list | `[]` | | +| django.extraVolumeMounts | list | `[]` | | | django.extraVolumes | list | `[]` | | | django.ingress.activateTLS | bool | `true` | | | django.ingress.annotations | object | `{}` | | @@ -598,6 +611,7 @@ A Helm chart for Kubernetes to install DefectDojo | django.mediaPersistentVolume.persistentVolumeClaim.size | string | `"5Gi"` | | | django.mediaPersistentVolume.persistentVolumeClaim.storageClassName | string | `""` | | | django.mediaPersistentVolume.type | string | `"emptyDir"` | | +| django.nginx.containerSecurityContext.runAsUser | int | `1001` | | | django.nginx.extraEnv | list | `[]` | | | django.nginx.extraVolumeMounts | list | `[]` | | | django.nginx.resources.limits.cpu | string | `"2000m"` | | @@ -607,6 +621,7 @@ A Helm chart for Kubernetes to install DefectDojo | django.nginx.tls.enabled | bool | `false` | | | django.nginx.tls.generateCertificate | bool | `false` | | | django.nodeSelector | object | `{}` | | +| django.podSecurityContext.fsGroup | int | `1001` | | | django.replicas | int | `1` | | | django.service.annotations | object | `{}` | | | django.service.type | string | `""` | | @@ -619,6 +634,7 @@ A Helm chart for Kubernetes to install DefectDojo | django.uwsgi.certificates.certMountPath | string | `"/certs/"` | | | django.uwsgi.certificates.configName | string | `"defectdojo-ca-certs"` | | | django.uwsgi.certificates.enabled | bool | `false` | | +| django.uwsgi.containerSecurityContext.runAsUser | int | `1001` | | | django.uwsgi.enableDebug | bool | `false` | | | django.uwsgi.extraEnv | list | `[]` | | | django.uwsgi.extraVolumeMounts | list | `[]` | | @@ -644,6 +660,7 @@ A Helm chart for Kubernetes to install DefectDojo | django.uwsgi.startupProbe.periodSeconds | int | `5` | | | django.uwsgi.startupProbe.successThreshold | int | `1` | | | django.uwsgi.startupProbe.timeoutSeconds | int | `1` | | +| extraAnnotations | object | `{}` | | | extraConfigs | object | `{}` | | | extraEnv | list | `[]` | | | extraLabels | object | `{}` | | @@ -656,6 +673,7 @@ A Helm chart for Kubernetes to install DefectDojo | imagePullSecrets | string | `nil` | | | initializer.affinity | object | `{}` | | | initializer.annotations | object | `{}` | | +| initializer.containerSecurityContext | object | `{}` | | | initializer.extraEnv | list | `[]` | | | initializer.extraVolumeMounts | list | `[]` | | | initializer.extraVolumes | list | `[]` | | @@ -663,6 +681,7 @@ A Helm chart for Kubernetes to install DefectDojo | initializer.keepSeconds | int | `60` | | | initializer.labels | object | `{}` | | | initializer.nodeSelector | object | `{}` | | +| initializer.podSecurityContext | object | `{}` | | | initializer.resources.limits.cpu | string | `"2000m"` | | | initializer.resources.limits.memory | string | `"512Mi"` | | | initializer.resources.requests.cpu | string | `"100m"` | | @@ -672,9 +691,13 @@ A Helm chart for Kubernetes to install DefectDojo | initializer.tolerations | list | `[]` | | | localsettingspy | string | `""` | | | monitoring.enabled | bool | `false` | | +| monitoring.prometheus.containerSecurityContext | object | `{}` | | | monitoring.prometheus.enabled | bool | `false` | | +| monitoring.prometheus.extraEnv | list | `[]` | | +| monitoring.prometheus.extraVolumeMounts | list | `[]` | | | monitoring.prometheus.image | string | `"nginx/nginx-prometheus-exporter:1.4.2"` | | | monitoring.prometheus.imagePullPolicy | string | `"IfNotPresent"` | | +| monitoring.prometheus.resources | object | `{}` | | | networkPolicy.annotations | object | `{}` | | | networkPolicy.egress | list | `[]` | | | networkPolicy.enabled | bool | `false` | | @@ -715,12 +738,14 @@ A Helm chart for Kubernetes to install DefectDojo | repositoryPrefix | string | `"defectdojo"` | | | revisionHistoryLimit | int | `10` | | | secrets.annotations | object | `{}` | | -| securityContext.djangoSecurityContext.runAsUser | int | `1001` | | +| securityContext.containerSecurityContext.runAsNonRoot | bool | `true` | | | securityContext.enabled | bool | `true` | | -| securityContext.nginxSecurityContext.runAsUser | int | `1001` | | +| securityContext.podSecurityContext.runAsNonRoot | bool | `true` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.labels | object | `{}` | | +| serviceAccount.name | string | `""` | | +| siteUrl | string | `""` | | | tag | string | `"latest"` | | | tests.unitTests.resources.limits.cpu | string | `"500m"` | | | tests.unitTests.resources.limits.memory | string | `"512Mi"` | | diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index 025b35078db..c4b6f130ab0 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -1,15 +1,15 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. +{{- /* vim: set filetype=mustache: */}} +{{- /* + Expand the name of the chart. */}} {{- define "defectdojo.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. +{{- /* + Create a default fully qualified app name. + We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). + If release name contains chart name it will be used as a full name. */}} {{- define "defectdojo.fullname" -}} {{- if .Values.fullnameOverride -}} @@ -24,15 +24,15 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} -{{/* -Create chart name and version as used by the chart label. +{{- /* + Create chart name and version as used by the chart label. */}} {{- define "defectdojo.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{/* -Create the name of the service account to use +{{- /* + Create the name of the service account to use */}} {{- define "defectdojo.serviceAccountName" -}} {{- if .Values.serviceAccount.create -}} @@ -42,7 +42,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Determine the hostname to use for PostgreSQL/Redis. */}} {{- define "postgresql.hostname" -}} @@ -67,7 +67,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Determine the protocol to use for Redis. */}} {{- define "redis.scheme" -}} @@ -82,7 +82,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Builds the repository names for use with local or private registries */}} {{- define "celery.repository" -}} @@ -109,7 +109,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Creates the array for DD_ALLOWED_HOSTS in configmap */}} {{- define "django.allowed_hosts" -}} @@ -121,7 +121,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Creates the persistentVolumeName */}} {{- define "django.pvc_name" -}} @@ -132,7 +132,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Define db-migration-checker */}} {{- define "dbMigrationChecker" -}} @@ -145,7 +145,11 @@ Create the name of the service account to use imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 4 }} + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "dbMigrationChecker.containerSecurityContext" + ) | nindent 4 }} {{- end }} envFrom: - configMapRef: @@ -163,9 +167,64 @@ Create the name of the service account to use secretKeyRef: name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }} key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }} - {{- if .Values.extraEnv }} - {{- toYaml .Values.extraEnv | nindent 2 }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- with.Values.dbMigrationChecker.extraEnv }} + {{- toYaml . | nindent 2 }} {{- end }} resources: {{- toYaml .Values.dbMigrationChecker.resources | nindent 4 }} + {{- with .Values.dbMigrationChecker.extraVolumeMounts }} + volumeMounts: + {{- . | toYaml | nindent 4 }} + {{- end }} +{{- end -}} + +{{- /* +Returns the JSON representation of the value for a dot-notation path +from a given context. + Args: + 0: context (e.g., .Values) + 1: path (e.g., "foo.bar") +*/}} +{{- define "helpers.getValue" -}} + {{- $ctx := merge dict (index . 0) -}} + {{- $path := index . 1 -}} + {{- $parts := splitList "." $path -}} + {{- $value := $ctx -}} + {{- range $idx, $part := $parts -}} + {{- if kindIs "map" $value -}} + {{- $value = index $value $part -}} + {{- else -}} + {{- $value = "" -}} + {{- /* Exit early by setting to last iteration */}} + {{- $idx = sub (len $parts) 1 -}} + {{- end -}} + {{- end -}} + {{- toJson $value -}} +{{- end -}} + +{{- /* + Build the security context. + Args: + 0: values context (.Values) + 1: the default security context key (e.g. "securityContext.containerSecurityContext") + 2: the key under the context with security context (e.g., "foo.bar") +*/}} +{{- define "helpers.securityContext" -}} +{{- $values := merge dict (index . 0) -}} +{{- $defaultSecurityContextKey := index . 1 -}} +{{- $securityContextKey := index . 2 -}} +{{- $securityContext := dict -}} +{{- with $values }} + {{- $securityContext = (merge + $securityContext + (include "helpers.getValue" (list $values $defaultSecurityContextKey) | fromJson) + (include "helpers.getValue" (list $values $securityContextKey) | fromJson) + ) -}} +{{- end -}} +{{- with $securityContext -}} +{{- . | toYaml | nindent 2 -}} +{{- end -}} {{- end -}} diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index 166f6c2afeb..8a80d0ffec7 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -2,7 +2,12 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ $fullName }}-celery-beat + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.celery.annotations .Values.celery.beat.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: celery defectdojo.org/subcomponent: beat @@ -10,13 +15,11 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with mergeOverwrite .Values.celery.annotations .Values.celery.beat.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + name: {{ $fullName }}-celery-beat + namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.celery.beat.replicas }} {{- with .Values.revisionHistoryLimit }} @@ -35,15 +38,12 @@ spec: defectdojo.org/subcomponent: beat app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraLabels .Values.podLabels }} + {{ $key }}: {{ quote $value }} {{- end }} annotations: - {{- with mergeOverwrite .Values.celery.annotations .Values.celery.beat.podAnnotations }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.celery.annotations .Values.celery.beat.podAnnotations }} + {{ $key }}: {{ quote $value }} {{- end }} {{- if eq (.Values.trackConfig | default "disabled") "enabled" }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} @@ -51,6 +51,14 @@ spec: checksum/esecret: {{ include (print $.Template.BasePath "/extra-secret.yaml") . | sha256sum }} {{- end }} spec: + {{- if .Values.securityContext.enabled }} + securityContext: + {{- include "helpers.securityContext" (list + .Values + "securityContext.podSecurityContext" + "celery.beat.podSecurityContext" + ) | nindent 8 }} + {{- end }} serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -59,12 +67,12 @@ spec: volumes: - name: run emptyDir: {} - {{- if .Values.localsettingspy }} + {{- if .Values.localsettingspy }} - name: localsettingspy configMap: name: {{ $fullName }}-localsettingspy {{- end }} - {{- if .Values.django.uwsgi.certificates.enabled }} + {{- if .Values.django.uwsgi.certificates.enabled }} - name: cert-mount configMap: name: {{ .Values.django.uwsgi.certificates.configName }} @@ -82,9 +90,18 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.cloudsql.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} restartPolicy: Always + {{- if .Values.securityContext.enabled }} securityContext: - runAsNonRoot: true + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "cloudsql.containerSecurityContext" + ) | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" @@ -118,12 +135,16 @@ spec: {{- end }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "celery.beat.containerSecurityContext" + ) | nindent 10 }} {{- end }} volumeMounts: - name: run mountPath: /run/defectdojo - {{- if .Values.localsettingspy }} + {{- if .Values.localsettingspy }} - name: localsettingspy readOnly: true mountPath: /app/dojo/settings/local_settings.py diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index ce4881094e9..fe2e0f08c6f 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -2,7 +2,12 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ $fullName }}-celery-worker + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.celery.annotations .Values.celery.worker.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: celery defectdojo.org/subcomponent: worker @@ -10,13 +15,11 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with mergeOverwrite .Values.celery.annotations .Values.celery.worker.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + name: {{ $fullName }}-celery-worker + namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.celery.worker.replicas }} {{- with .Values.revisionHistoryLimit }} @@ -35,15 +38,12 @@ spec: defectdojo.org/subcomponent: worker app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraLabels .Values.podLabels }} + {{ $key }}: {{ quote $value }} {{- end }} annotations: - {{- with mergeOverwrite .Values.celery.annotations .Values.celery.worker.podAnnotations }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.celery.annotations .Values.celery.worker.podAnnotations }} + {{ $key }}: {{ quote $value }} {{- end }} {{- if eq (.Values.trackConfig | default "disabled") "enabled" }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} @@ -51,18 +51,26 @@ spec: checksum/esecret: {{ include (print $.Template.BasePath "/extra-secret.yaml") . | sha256sum }} {{- end }} spec: + {{- if .Values.securityContext.enabled }} + securityContext: + {{- include "helpers.securityContext" (list + .Values + "securityContext.podSecurityContext" + "celery.worker.podSecurityContext" + ) | nindent 8 }} + {{- end }} serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} {{- with .Values.imagePullSecrets }} imagePullSecrets: - name: {{ . }} {{- end }} volumes: - {{- if .Values.localsettingspy }} + {{- if .Values.localsettingspy }} - name: localsettingspy configMap: name: {{ $fullName }}-localsettingspy {{- end }} - {{- if .Values.django.uwsgi.certificates.enabled }} + {{- if .Values.django.uwsgi.certificates.enabled }} - name: cert-mount configMap: name: {{ .Values.django.uwsgi.certificates.configName }} @@ -80,9 +88,18 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.cloudsql.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} restartPolicy: Always + {{- if .Values.securityContext.enabled }} securityContext: - runAsNonRoot: true + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "cloudsql.containerSecurityContext" + ) | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" @@ -114,7 +131,11 @@ spec: {{- end }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "celery.worker.containerSecurityContext" + ) | nindent 10 }} {{- end }} command: ['/entrypoint-celery-worker.sh'] volumeMounts: @@ -124,7 +145,7 @@ spec: mountPath: /app/dojo/settings/local_settings.py subPath: file {{- end }} - {{- if .Values.django.uwsgi.certificates.enabled }} + {{- if .Values.django.uwsgi.certificates.enabled }} - name: cert-mount mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }} {{- end }} diff --git a/helm/defectdojo/templates/configmap-local-settings-py.yaml b/helm/defectdojo/templates/configmap-local-settings-py.yaml index dc75942fbc0..30c42244251 100644 --- a/helm/defectdojo/templates/configmap-local-settings-py.yaml +++ b/helm/defectdojo/templates/configmap-local-settings-py.yaml @@ -1,14 +1,24 @@ -{{- if .Values.localsettingspy }} +{{- if .Values.localsettingspy }} {{- $fullName := include "defectdojo.fullname" . -}} apiVersion: v1 kind: ConfigMap metadata: - name: {{ $fullName }}-localsettingspy + {{- with .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- with .Values.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ $fullName }}-localsettingspy + namespace: {{ .Release.Namespace }} data: file: {{ toYaml .Values.localsettingspy | indent 4 }} diff --git a/helm/defectdojo/templates/configmap.yaml b/helm/defectdojo/templates/configmap.yaml index e5078f57903..d25926c2c3f 100644 --- a/helm/defectdojo/templates/configmap.yaml +++ b/helm/defectdojo/templates/configmap.yaml @@ -3,21 +3,22 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ $fullName }} + {{- with .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} -{{- if .Values.annotations }} - annotations: -{{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} data: DD_ADMIN_USER: {{ .Values.admin.user | default "admin" }} DD_ADMIN_MAIL: {{ .Values.admin.Mail | default "admin@defectdojo.local" }} diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index fb77e8f7e88..16738a91b41 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -2,20 +2,23 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ $fullName }}-django + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.django.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with .Values.django.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + name: {{ $fullName }}-django + namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.django.replicas }} {{- with .Values.django.strategy }} @@ -36,15 +39,12 @@ spec: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} + {{- range $key, $value := mergeOverwrite dict .Values.extraLabels .Values.podLabels }} + {{ $key }}: {{ quote $value }} + {{- end }} annotations: - {{- with .Values.django.annotations }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.django.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} {{- if and .Values.monitoring.enabled .Values.monitoring.prometheus.enabled }} prometheus.io/path: /metrics @@ -64,8 +64,14 @@ spec: - name: {{ quote . }} {{- end }} {{- if .Values.django.mediaPersistentVolume.enabled }} + {{- if .Values.securityContext.enabled }} securityContext: - fsGroup: {{ .Values.django.mediaPersistentVolume.fsGroup | default 1001 }} + {{- include "helpers.securityContext" (list + .Values + "securityContext.podSecurityContext" + "django.podSecurityContext" + ) | nindent 8 }} + {{- end }} {{- end }} volumes: - name: run @@ -101,9 +107,21 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.cloudsql.extraEnv }} + env: {{- . | toYaml | nindent 8 }} + {{- end }} + {{- with .Values.cloudsql.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} restartPolicy: Always + {{- if .Values.securityContext.enabled }} securityContext: - runAsNonRoot: true + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "cloudsql.containerSecurityContext" + ) | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" @@ -114,9 +132,12 @@ spec: {{- if .Values.cloudsql.use_private_ip }} - "-ip_address_types=PRIVATE" {{- end }} + {{- with .Values.cloudsql.extraVolumeMounts }} + volumeMounts: {{ . | toYaml | nindent 10 }} + {{- end }} {{- end }} {{- if .Values.dbMigrationChecker.enabled }} - {{$data := dict "fullName" $fullName }} + {{- $data := dict "fullName" $fullName }} {{- $newContext := merge . (dict "fullName" $fullName) }} {{- include "dbMigrationChecker" $newContext | nindent 6 }} {{- end }} @@ -126,7 +147,13 @@ spec: - name: metrics image: {{ .Values.monitoring.prometheus.image }} imagePullPolicy: {{ .Values.monitoring.prometheus.imagePullPolicy }} - command: [ '/usr/bin/nginx-prometheus-exporter', '--nginx.scrape-uri', 'http://127.0.0.1:8080/nginx_status'] + command: + - /usr/bin/nginx-prometheus-exporter + - --nginx.scrape-uri + - http://127.0.0.1:8080/nginx_status + {{- with .Values.monitoring.prometheus.extraEnv }} + env: {{- . | toYaml | nindent 8 }} + {{- end }} ports: - name: http-metrics protocol: TCP @@ -138,13 +165,31 @@ spec: periodSeconds: 20 initialDelaySeconds: 15 timeoutSeconds: 5 + {{- with .Values.monitoring.prometheus.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "monitoring.prometheus.containerSecurityContext" + ) | nindent 10 }} + {{- end }} + {{- with .Values.monitoring.prometheus.extraVolumeMounts }} + volumeMounts: {{ . | toYaml | nindent 10 }} + {{- end }} {{- end }} - name: uwsgi image: '{{ template "django.uwsgi.repository" . }}:{{ .Values.tag }}' imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "django.uwsgi.containerSecurityContext" + ) | nindent 10 }} {{- end }} volumeMounts: - name: run @@ -159,6 +204,9 @@ spec: - name: cert-mount mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }} {{- end }} + {{- with .Values.django.extraVolumeMounts }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.uwsgi.extraVolumeMounts }} {{- . | toYaml | nindent 8 }} {{- end }} @@ -212,6 +260,9 @@ spec: {{- with .Values.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} + {{- with .Values.django.extraEnv }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.uwsgi.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} @@ -236,11 +287,18 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.nginxSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "django.nginx.containerSecurityContext" + ) | nindent 10 }} {{- end }} volumeMounts: - name: run mountPath: /run/defectdojo + {{- with .Values.django.extraVolumeMounts }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.nginx.extraVolumeMounts }} {{- . | toYaml | nindent 8 }} {{- end }} @@ -268,6 +326,9 @@ spec: {{- with .Values.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} + {{- with .Values.django.extraEnv }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.nginx.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} diff --git a/helm/defectdojo/templates/django-ingress.yaml b/helm/defectdojo/templates/django-ingress.yaml index 4a0209d15a2..aee880f23d9 100644 --- a/helm/defectdojo/templates/django-ingress.yaml +++ b/helm/defectdojo/templates/django-ingress.yaml @@ -3,28 +3,32 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $fullName }} - labels: - defectdojo.org/component: django - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -{{- if or .Values.django.ingress.annotations .Values.gke.useGKEIngress }} + {{- if or .Values.extraAnnotations .Values.django.ingress.annotations .Values.gke.useGKEIngress }} annotations: -{{- with .Values.django.ingress.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} + {{- range $key, $value := .Values.extraAnnotations }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- range $key, $value := .Values.django.ingress.annotations }} + {{ $key }}: {{ quote $value }} + {{- end }} {{- if .Values.gke.useGKEIngress }} {{- if .Values.gke.useManagedCertificate }} kubernetes.io/ingress.allow-http: "false" networking.gke.io/managed-certificates: {{ $fullName }}-django {{- end }} {{- end }} -{{- end }} + {{- end }} + labels: + defectdojo.org/component: django + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} + {{- end }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} spec: {{- if .Values.django.ingress.ingressClassName }} ingressClassName: {{ .Values.django.ingress.ingressClassName }} diff --git a/helm/defectdojo/templates/django-service.yaml b/helm/defectdojo/templates/django-service.yaml index f8c20aa092f..5f966c15edc 100644 --- a/helm/defectdojo/templates/django-service.yaml +++ b/helm/defectdojo/templates/django-service.yaml @@ -2,22 +2,23 @@ apiVersion: v1 kind: Service metadata: - name: {{ $fullName }}-django + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.django.service.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} labels: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} -{{- if .Values.django.service.annotations }} - annotations: - {{- range $key, $value := .Values.django.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} + name: {{ $fullName }}-django + namespace: {{ .Release.Namespace }} spec: selector: defectdojo.org/component: django diff --git a/helm/defectdojo/templates/extra-secret.yaml b/helm/defectdojo/templates/extra-secret.yaml index d97800283a6..caa5b1fcbfa 100644 --- a/helm/defectdojo/templates/extra-secret.yaml +++ b/helm/defectdojo/templates/extra-secret.yaml @@ -3,24 +3,22 @@ apiVersion: v1 kind: Secret metadata: - name: {{ $fullName }}-extrasecrets + {{- with mergeOverwrite dict .Values.secrets.annotations .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- if or .Values.secrets.annotations .Values.annotations }} - annotations: - {{- with .Values.secrets.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} + name: {{ $fullName }}-extrasecrets + namespace: {{ .Release.Namespace }} type: Opaque data: {{- range $key, $value := .Values.extraSecrets }} diff --git a/helm/defectdojo/templates/gke-managed-certificate.yaml b/helm/defectdojo/templates/gke-managed-certificate.yaml index 43399626310..14dc539e6b7 100644 --- a/helm/defectdojo/templates/gke-managed-certificate.yaml +++ b/helm/defectdojo/templates/gke-managed-certificate.yaml @@ -1,9 +1,22 @@ -{{- if .Values.gke.useManagedCertificate }} +{{- if .Values.gke.useManagedCertificate | and (.Capabilities.APIVersions.Has "networking.gke.io/v1") }} {{- $fullName := include "defectdojo.fullname" . -}} apiVersion: networking.gke.io/v1 kind: ManagedCertificate metadata: + {{- with .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} + {{- with .Values.extraLabels }} + labels: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} name: {{ $fullName }}-django + namespace: {{ .Release.Namespace }} spec: domains: - {{ .Values.host }} diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index 668812d1a08..795427b34f1 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -3,20 +3,23 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ template "initializer.jobname" . }} + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.initializer.jobAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: initializer app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - annotations: - {{- with .Values.initializer.jobAnnotations }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} + name: {{ template "initializer.jobname" . }} + namespace: {{ .Release.Namespace }} spec: {{- if and (int .Values.initializer.keepSeconds) (gt (int .Values.initializer.keepSeconds) 0) }} ttlSecondsAfterFinished: {{ .Values.initializer.keepSeconds }} @@ -38,6 +41,14 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.securityContext.enabled }} + securityContext: + {{- include "helpers.securityContext" (list + .Values + "securityContext.podSecurityContext" + "initializer.podSecurityContext" + ) | nindent 8 }} + {{- end }} serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -66,9 +77,18 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.cloudsql.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} restartPolicy: Always + {{- if .Values.securityContext.enabled }} securityContext: - runAsNonRoot: true + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "cloudsql.containerSecurityContext" + ) | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" @@ -96,7 +116,11 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "django.uwsgi.containerSecurityContext" + ) | nindent 10 }} {{- end }} envFrom: - configMapRef: @@ -123,7 +147,11 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "securityContext.containerSecurityContext" + "initializer.containerSecurityContext" + ) | nindent 10 }} {{- end }} volumeMounts: {{- if .Values.localsettingspy }} diff --git a/helm/defectdojo/templates/media-pvc.yaml b/helm/defectdojo/templates/media-pvc.yaml index d31d3251b44..57fcae8e0c7 100644 --- a/helm/defectdojo/templates/media-pvc.yaml +++ b/helm/defectdojo/templates/media-pvc.yaml @@ -1,22 +1,29 @@ {{- $fullName := include "django.pvc_name" $ -}} {{ with .Values.django.mediaPersistentVolume }} -{{- if and .enabled (eq .type "pvc") .persistentVolumeClaim.create }} +{{- if and .enabled (eq .type "pvc") .persistentVolumeClaim.create }} apiVersion: v1 kind: PersistentVolumeClaim metadata: + {{- with .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" $ }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" $ }} - {{- with $.Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} name: {{ $fullName }} + namespace: {{ .Release.Namespace }} spec: accessModes: - {{- toYaml .persistentVolumeClaim.accessModes |nindent 4 }} + {{- toYaml .persistentVolumeClaim.accessModes | nindent 4 }} resources: requests: storage: {{ .persistentVolumeClaim.size }} diff --git a/helm/defectdojo/templates/network-policy.yaml b/helm/defectdojo/templates/network-policy.yaml index e580a0df80c..333b58da3e6 100644 --- a/helm/defectdojo/templates/network-policy.yaml +++ b/helm/defectdojo/templates/network-policy.yaml @@ -3,21 +3,22 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ $fullName }}-networkpolicy + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.networkPolicy.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} app.kubernetes.io/name: {{ include "defectdojo.name" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} -{{- if .Values.networkPolicy.annotations }} - annotations: -{{- with .Values.networkPolicy.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} + name: {{ $fullName }}-networkpolicy + namespace: {{ .Release.Namespace }} spec: podSelector: matchLabels: @@ -43,15 +44,22 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ $fullName }}-networkpolicy-django + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.networkPolicy.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} app.kubernetes.io/name: {{ include "defectdojo.name" . }} -{{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} -{{- end }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} + {{- end }} + name: {{ $fullName }}-networkpolicy-django + namespace: {{ .Release.Namespace }} spec: podSelector: matchLabels: diff --git a/helm/defectdojo/templates/sa.yaml b/helm/defectdojo/templates/sa.yaml index 4345da6360a..1394f077945 100644 --- a/helm/defectdojo/templates/sa.yaml +++ b/helm/defectdojo/templates/sa.yaml @@ -2,31 +2,26 @@ kind: ServiceAccount apiVersion: v1 metadata: - name: {{ include "defectdojo.serviceAccountName" . }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.serviceAccount.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} annotations: {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" {{- end }} - {{- with .Values.annotations }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.serviceAccount.annotations }} - {{ toYaml . | nindent 4 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.serviceAccount.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} {{- if ne .Values.gke.workloadIdentityEmail "" }} iam.gke.io/gcp-service-account: {{ .Values.gke.workloadIdentityEmail }} {{- end }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := mergeOverwrite dict .Values.extraLabels .Values.serviceAccount.labels }} + {{ $key }}: {{ quote $value }} + {{- end }} + name: {{ include "defectdojo.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} {{- end }} \ No newline at end of file diff --git a/helm/defectdojo/templates/secret-postgresql.yaml b/helm/defectdojo/templates/secret-postgresql.yaml index 12924bb29c5..57f38a0e883 100644 --- a/helm/defectdojo/templates/secret-postgresql.yaml +++ b/helm/defectdojo/templates/secret-postgresql.yaml @@ -2,27 +2,25 @@ apiVersion: v1 kind: Secret metadata: - name: {{ .Values.postgresql.auth.existingSecret }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} annotations: {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" {{- end }} - {{- with .Values.secrets.annotations }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} + name: {{ .Values.postgresql.auth.existingSecret }} + namespace: {{ .Release.Namespace }} type: Opaque data: {{- if .Values.postgresql.auth.password }} diff --git a/helm/defectdojo/templates/secret-redis.yaml b/helm/defectdojo/templates/secret-redis.yaml index f6d102c2513..b2a5a3a84c2 100644 --- a/helm/defectdojo/templates/secret-redis.yaml +++ b/helm/defectdojo/templates/secret-redis.yaml @@ -2,27 +2,25 @@ apiVersion: v1 kind: Secret metadata: - name: {{ .Values.redis.auth.existingSecret }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} annotations: {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" {{- end }} - {{- with .Values.secrets.annotations }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} + name: {{ .Values.redis.auth.existingSecret }} + namespace: {{ .Release.Namespace }} type: Opaque data: {{- if .Values.redis.auth.password }} diff --git a/helm/defectdojo/templates/secret.yaml b/helm/defectdojo/templates/secret.yaml index c3a3c56f6c4..3a4a5299d64 100644 --- a/helm/defectdojo/templates/secret.yaml +++ b/helm/defectdojo/templates/secret.yaml @@ -3,47 +3,45 @@ apiVersion: v1 kind: Secret metadata: - name: {{ $fullName }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} annotations: {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" {{- end }} - {{- with .Values.secrets.annotations }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} type: Opaque data: {{- if .Values.admin.password }} DD_ADMIN_PASSWORD: {{ .Values.admin.password | b64enc | quote }} -{{- else}} +{{- else }} DD_ADMIN_PASSWORD: {{ randAlphaNum 22 | b64enc | quote }} -{{- end}} +{{- end }} {{- if .Values.admin.secretKey }} DD_SECRET_KEY: {{ .Values.admin.secretKey | b64enc | quote }} -{{- else}} +{{- else }} DD_SECRET_KEY: {{ randAlphaNum 128 | b64enc | quote }} -{{- end}} +{{- end }} {{- if .Values.admin.credentialAes256Key }} DD_CREDENTIAL_AES_256_KEY: {{ .Values.admin.credentialAes256Key | b64enc | quote }} -{{- else}} +{{- else }} DD_CREDENTIAL_AES_256_KEY: {{ randAlphaNum 128 | b64enc | quote }} -{{- end}} +{{- end }} {{- if .Values.admin.metricsHttpAuthPassword }} METRICS_HTTP_AUTH_PASSWORD: {{ .Values.admin.metricsHttpAuthPassword | b64enc | quote }} -{{- else}} +{{- else }} METRICS_HTTP_AUTH_PASSWORD: {{ randAlphaNum 32 | b64enc | quote }} -{{- end}} +{{- end }} {{- end }} diff --git a/helm/defectdojo/values.schema.json b/helm/defectdojo/values.schema.json index 93e7b3915ff..74e14508d13 100644 --- a/helm/defectdojo/values.schema.json +++ b/helm/defectdojo/values.schema.json @@ -31,8 +31,8 @@ } } }, - "annotations": { - "type": "object" + "alternativeHosts": { + "type": "array" }, "celery": { "type": "object", @@ -49,6 +49,9 @@ "annotations": { "type": "object" }, + "containerSecurityContext": { + "type": "object" + }, "extraEnv": { "type": "array" }, @@ -70,6 +73,9 @@ "podAnnotations": { "type": "object" }, + "podSecurityContext": { + "type": "object" + }, "readinessProbe": { "type": "object" }, @@ -134,6 +140,9 @@ } } }, + "containerSecurityContext": { + "type": "object" + }, "extraEnv": { "type": "array" }, @@ -155,6 +164,9 @@ "podAnnotations": { "type": "object" }, + "podSecurityContext": { + "type": "object" + }, "readinessProbe": { "type": "object" }, @@ -201,12 +213,21 @@ "cloudsql": { "type": "object", "properties": { + "containerSecurityContext": { + "type": "object" + }, "enable_iam_login": { "type": "boolean" }, "enabled": { "type": "boolean" }, + "extraEnv": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, "image": { "type": "object", "properties": { @@ -224,6 +245,9 @@ "instance": { "type": "string" }, + "resources": { + "type": "object" + }, "use_private_ip": { "type": "boolean" }, @@ -244,9 +268,18 @@ "dbMigrationChecker": { "type": "object", "properties": { + "containerSecurityContext": { + "type": "object" + }, "enabled": { "type": "boolean" }, + "extraEnv": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, "resources": { "type": "object", "properties": { @@ -288,9 +321,15 @@ "annotations": { "type": "object" }, + "extraEnv": { + "type": "array" + }, "extraInitContainers": { "type": "array" }, + "extraVolumeMounts": { + "type": "array" + }, "extraVolumes": { "type": "array" }, @@ -357,6 +396,14 @@ "nginx": { "type": "object", "properties": { + "containerSecurityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + } + } + }, "extraEnv": { "type": "array" }, @@ -406,6 +453,14 @@ "nodeSelector": { "type": "object" }, + "podSecurityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + } + } + }, "replicas": { "type": "integer" }, @@ -460,6 +515,14 @@ } } }, + "containerSecurityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + } + } + }, "enableDebug": { "type": "boolean" }, @@ -569,6 +632,9 @@ } } }, + "extraAnnotations": { + "type": "object" + }, "extraConfigs": { "type": "object" }, @@ -616,6 +682,9 @@ "annotations": { "type": "object" }, + "containerSecurityContext": { + "type": "object" + }, "extraEnv": { "type": "array" }, @@ -637,6 +706,9 @@ "nodeSelector": { "type": "object" }, + "podSecurityContext": { + "type": "object" + }, "resources": { "type": "object", "properties": { @@ -687,14 +759,26 @@ "prometheus": { "type": "object", "properties": { + "containerSecurityContext": { + "type": "object" + }, "enabled": { "type": "boolean" }, + "extraEnv": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, "image": { "type": "string" }, "imagePullPolicy": { "type": "string" + }, + "resources": { + "type": "object" } } } @@ -924,22 +1008,22 @@ "securityContext": { "type": "object", "properties": { - "djangoSecurityContext": { + "containerSecurityContext": { "type": "object", "properties": { - "runAsUser": { - "type": "integer" + "runAsNonRoot": { + "type": "boolean" } } }, "enabled": { "type": "boolean" }, - "nginxSecurityContext": { + "podSecurityContext": { "type": "object", "properties": { - "runAsUser": { - "type": "integer" + "runAsNonRoot": { + "type": "boolean" } } } @@ -956,9 +1040,15 @@ }, "labels": { "type": "object" + }, + "name": { + "type": "string" } } }, + "siteUrl": { + "type": "string" + }, "tag": { "type": "string" }, diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 8415ea73067..bba288d5dbf 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -1,5 +1,12 @@ --- -# Global settings +# Security context settings +securityContext: + enabled: true + containerSecurityContext: + runAsNonRoot: true + podSecurityContext: + runAsNonRoot: true + # create defectdojo specific secret createSecret: false # create redis secret in defectdojo chart, outside of redis chart @@ -15,8 +22,10 @@ trackConfig: disabled # Avoid using pre-install hooks, which might cause issues with ArgoCD disableHooks: false +# Annotations globally added to all resources +extraAnnotations: {} +# Labels globally added to all resources extraLabels: {} -# Add extra labels for k8s # Enables application network policy # For more info follow https://kubernetes.io/docs/concepts/services-networking/network-policies/ @@ -55,12 +64,13 @@ networkPolicy: host: defectdojo.default.minikube.local # The full URL to your defectdojo instance, depends on the domain where DD is deployed, it also affects links in Jira +siteUrl: "" # siteUrl: 'https://' # optional list of alternative hostnames to use that gets appended to # DD_ALLOWED_HOSTS. This is necessary when your local hostname does not match # the global hostname. -# alternativeHosts: +alternativeHosts: [] # - defectdojo.example.com imagePullPolicy: Always # Where to pull the defectDojo images from. Defaults to "defectdojo/*" repositories on hub.docker.com @@ -79,22 +89,13 @@ podLabels: {} # Allow overriding of revisionHistoryLimit across all deployments. revisionHistoryLimit: 10 -securityContext: - enabled: true - djangoSecurityContext: - # django dockerfile sets USER=1001 - runAsUser: 1001 - nginxSecurityContext: - # nginx dockerfile sets USER=1001 - runAsUser: 1001 - serviceAccount: # Specifies whether a service account should be created. create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template - # name: "" + name: "" # Optional additional annotations to add to the DefectDojo's Service Account. annotations: {} @@ -103,7 +104,15 @@ serviceAccount: labels: {} dbMigrationChecker: + # Enable/disable the DB migration checker. enabled: true + # Container security context for the DB migration checker. + containerSecurityContext: {} + # Additional environment variables for DB migration checker. + extraEnv: [] + # Array of additional volume mount points for DB migration checker. + extraVolumeMounts: [] + # Resource requests/limits for the DB migration checker. resources: requests: cpu: 100m @@ -134,13 +143,19 @@ admin: monitoring: enabled: false - # Add the nginx prometheus exporter sidecar prometheus: + # Add the nginx prometheus exporter sidecar enabled: false image: nginx/nginx-prometheus-exporter:1.4.2 imagePullPolicy: IfNotPresent - -annotations: {} + # Optional: container security context for nginx prometheus exporter + containerSecurityContext: {} + # Optional: additional environment variables injected to the nginx prometheus exporter container + extraEnv: [] + # Array of additional volume mount points for the nginx prometheus exporter + extraVolumeMounts: [] + # Optional: add resource requests/limits for the nginx prometheus exporter container + resources: {} secrets: # Add annotations for secret resources @@ -156,6 +171,8 @@ celery: # Annotations for the Celery beat deployment. annotations: {} affinity: {} + # Container security context for the Celery beat containers. + containerSecurityContext: {} # Additional environment variables injected to Celery beat containers. extraEnv: [] # A list of additional initContainers to run before celery beat containers. @@ -178,6 +195,8 @@ celery: nodeSelector: {} # Annotations for the Celery beat pods. podAnnotations: {} + # Pod security context for the Celery beat pods. + podSecurityContext: {} # Enable readiness probe for Celery beat container. readinessProbe: {} replicas: 1 @@ -195,6 +214,8 @@ celery: # Annotations for the Celery worker deployment. annotations: {} affinity: {} + # Container security context for the Celery worker containers. + containerSecurityContext: {} # Additional environment variables injected to Celery worker containers. extraEnv: [] # A list of additional initContainers to run before celery worker containers. @@ -217,6 +238,8 @@ celery: nodeSelector: {} # Annotations for the Celery beat pods. podAnnotations: {} + # Pod security context for the Celery worker pods. + podSecurityContext: {} # Enable readiness probe for Celery worker container. readinessProbe: {} replicas: 1 @@ -246,6 +269,9 @@ django: annotations: {} type: "" affinity: {} + # Pod security context for the Django pods. + podSecurityContext: + fsGroup: 1001 ingress: enabled: true ingressClassName: "" @@ -258,6 +284,10 @@ django: # nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" # nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" nginx: + # Container security context for the nginx containers. + containerSecurityContext: + # nginx dockerfile sets USER=1001 + runAsUser: 1001 # To extra environment variables to the nginx container, you can use extraEnv. For example: # extraEnv: # - name: FOO @@ -283,6 +313,9 @@ django: strategy: {} tolerations: [] uwsgi: + containerSecurityContext: + # django dockerfile sets USER=1001 + runAsUser: 1001 # To add (or override) extra variables which need to be pulled from another configMap, you can # use extraEnv. For example: # extraEnv: @@ -339,8 +372,12 @@ django: certMountPath: /certs/ certFileName: ca.crt + # Additional environment variables injected to all Django containers and initContainers. + extraEnv: [] # A list of additional initContainers to run before the uwsgi and nginx containers. extraInitContainers: [] + # Array of additional volume mount points common to all containers and initContainers. + extraVolumeMounts: [] # A list of extra volumes to mount. extraVolumes: [] @@ -378,12 +415,16 @@ initializer: limits: cpu: 2000m memory: 512Mi + # Container security context for the initializer Job container + containerSecurityContext: {} # Additional environment variables injected to the initializer job pods. extraEnv: [] # Array of additional volume mount points for the initializer job (init)containers. extraVolumeMounts: [] # A list of extra volumes to attach to the initializer job pods. extraVolumes: [] + # Pod security context for the initializer Job + podSecurityContext: {} # staticName defines whether name of the job will be the same (e.g., "defectdojo-initializer") # or different every time - generated based on current time (e.g., "defectdojo-initializer-2024-11-11-18-57") @@ -449,6 +490,14 @@ cloudsql: enable_iam_login: false # whether to use a private IP to connect to the database use_private_ip: false + # Optional: security context for the CloudSQL proxy container. + containerSecurityContext: {} + # Additional environment variables for the CloudSQL proxy container. + extraEnv: [] + # Array of additional volume mount points for the CloudSQL proxy container + extraVolumeMounts: [] + # Optional: add resource requests/limits for the CloudSQL proxy container. + resources: {} # Settings to make running the chart on GKE simpler gke: @@ -521,6 +570,7 @@ localsettingspy: "" # MIDDLEWARE = [ # 'debug_toolbar.middleware.DebugToolbarMiddleware', # ] + MIDDLEWARE + # # External database support. #