From 492e9807029299a0f49f04e4ad66885474733224 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Wed, 17 Sep 2025 21:58:08 +0200 Subject: [PATCH 01/13] fix: add missing resources, securityContext and env entries --- helm/defectdojo/templates/_helpers.tpl | 8 +++- .../templates/celery-worker-deployment.yaml | 4 +- .../templates/django-deployment.yaml | 43 +++++++++++++++++-- helm/defectdojo/values.yaml | 14 ++++-- 4 files changed, 58 insertions(+), 11 deletions(-) diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index 025b35078db..e7ac6a1a4d6 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -163,9 +163,13 @@ Create the name of the service account to use secretKeyRef: name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }} key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }} - {{- if .Values.extraEnv }} - {{- toYaml .Values.extraEnv | nindent 2 }} + {{- with.Values.django.extraEnv }} + {{- toYaml . | nindent 2 }} {{- end }} resources: {{- toYaml .Values.dbMigrationChecker.resources | nindent 4 }} + {{- with .Values.django.extraVolumeMounts }} + volumeMounts: + {{- . | toYaml | nindent 4 }} + {{- end }} {{- end -}} diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index ce4881094e9..4df51442306 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -57,12 +57,12 @@ spec: - name: {{ . }} {{- end }} volumes: - {{- if .Values.localsettingspy }} + {{- if .Values.localsettingspy }} - name: localsettingspy configMap: name: {{ $fullName }}-localsettingspy {{- end }} - {{- if .Values.django.uwsgi.certificates.enabled }} + {{- if .Values.django.uwsgi.certificates.enabled }} - name: cert-mount configMap: name: {{ .Values.django.uwsgi.certificates.configName }} diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index fb77e8f7e88..7ab806cc524 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -101,9 +101,19 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.django.extraEnv }} + env: {{- . | toYaml | nindent 8 }} + {{- end }} + {{- with .Values.cloudsql.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} restartPolicy: Always securityContext: + {{- if .Values.securityContext.enabled }} + {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- else }} runAsNonRoot: true + {{- end }} command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" @@ -114,9 +124,12 @@ spec: {{- if .Values.cloudsql.use_private_ip }} - "-ip_address_types=PRIVATE" {{- end }} + {{- with .Values.django.extraVolumeMounts }} + volumeMounts: {{ . | toYaml | nindent 10 }} + {{- end }} {{- end }} {{- if .Values.dbMigrationChecker.enabled }} - {{$data := dict "fullName" $fullName }} + {{- $data := dict "fullName" $fullName }} {{- $newContext := merge . (dict "fullName" $fullName) }} {{- include "dbMigrationChecker" $newContext | nindent 6 }} {{- end }} @@ -126,7 +139,13 @@ spec: - name: metrics image: {{ .Values.monitoring.prometheus.image }} imagePullPolicy: {{ .Values.monitoring.prometheus.imagePullPolicy }} - command: [ '/usr/bin/nginx-prometheus-exporter', '--nginx.scrape-uri', 'http://127.0.0.1:8080/nginx_status'] + command: + - /usr/bin/nginx-prometheus-exporter + - --nginx.scrape-uri + - http://127.0.0.1:8080/nginx_status + {{- with .Values.django.extraEnv }} + env: {{- . | toYaml | nindent 8 }} + {{- end }} ports: - name: http-metrics protocol: TCP @@ -138,6 +157,16 @@ spec: periodSeconds: 20 initialDelaySeconds: 15 timeoutSeconds: 5 + {{- with .Values.monitoring.prometheus.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + {{- .Values.securityContext.djangoSecurityContext | toYaml | nindent 10 }} + {{- end }} + {{- with .Values.django.extraVolumeMounts }} + volumeMounts: {{ . | toYaml | nindent 10 }} + {{- end }} {{- end }} - name: uwsgi image: '{{ template "django.uwsgi.repository" . }}:{{ .Values.tag }}' @@ -159,6 +188,9 @@ spec: - name: cert-mount mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }} {{- end }} + {{- with .Values.django.extraVolumeMounts }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.uwsgi.extraVolumeMounts }} {{- . | toYaml | nindent 8 }} {{- end }} @@ -209,7 +241,7 @@ spec: value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }} - name: DD_CSRF_COOKIE_SECURE value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }} - {{- with .Values.extraEnv }} + {{- with .Values.django.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} {{- with .Values.django.uwsgi.extraEnv }} @@ -241,6 +273,9 @@ spec: volumeMounts: - name: run mountPath: /run/defectdojo + {{- with .Values.django.extraVolumeMounts }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.nginx.extraVolumeMounts }} {{- . | toYaml | nindent 8 }} {{- end }} @@ -265,7 +300,7 @@ spec: value: '{{ .Values.django.nginx.tls.enabled }}' - name: GENERATE_TLS_CERTIFICATE value: '{{ .Values.django.nginx.tls.generateCertificate }}' - {{- with .Values.extraEnv }} + {{- with .Values.django.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} {{- with .Values.django.nginx.extraEnv }} diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 213f70b6101..3ed02cf5096 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -55,12 +55,13 @@ networkPolicy: host: defectdojo.default.minikube.local # The full URL to your defectdojo instance, depends on the domain where DD is deployed, it also affects links in Jira +siteUrl: "" # siteUrl: 'https://' # optional list of alternative hostnames to use that gets appended to # DD_ALLOWED_HOSTS. This is necessary when your local hostname does not match # the global hostname. -# alternativeHosts: +alternativeHosts: [] # - defectdojo.example.com imagePullPolicy: Always # Where to pull the defectDojo images from. Defaults to "defectdojo/*" repositories on hub.docker.com @@ -94,7 +95,7 @@ serviceAccount: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template - # name: "" + name: "" # Optional additional annotations to add to the DefectDojo's Service Account. annotations: {} @@ -139,7 +140,8 @@ monitoring: enabled: false image: nginx/nginx-prometheus-exporter:1.4.2 imagePullPolicy: IfNotPresent - + # Optional: add resource requests/limits for the nginx prometheus exporter container + resources: {} annotations: {} secrets: @@ -339,8 +341,12 @@ django: certMountPath: /certs/ certFileName: ca.crt + # Additional environment variables injected to all Django containers and initContainers. + extraEnv: [] # A list of additional initContainers to run before the uwsgi and nginx containers. extraInitContainers: [] + # Array of additional volume mount points common to all containers and initContainers. + extraVolumeMounts: [] # A list of extra volumes to mount. extraVolumes: [] @@ -449,6 +455,8 @@ cloudsql: enable_iam_login: false # whether to use a private IP to connect to the database use_private_ip: false + # Optional: add resource requests/limits for the CloudSQL proxy container + resources: {} # Settings to make running the chart on GKE simpler gke: From d019a3e657fe24be38ed5ea57ecb19fd822d8237 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Wed, 17 Sep 2025 22:14:01 +0200 Subject: [PATCH 02/13] chore: docs and schema --- helm/defectdojo/README.md | 7 +++++++ helm/defectdojo/values.schema.json | 21 +++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 0418a70dd66..82b0c6ea469 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -524,6 +524,7 @@ A Helm chart for Kubernetes to install DefectDojo | admin.password | string | `nil` | | | admin.secretKey | string | `nil` | | | admin.user | string | `"admin"` | | +| alternativeHosts | list | `[]` | | | annotations | object | `{}` | | | celery.annotations | object | `{}` | | | celery.beat.affinity | object | `{}` | | @@ -569,6 +570,7 @@ A Helm chart for Kubernetes to install DefectDojo | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | | | cloudsql.image.tag | string | `"1.37.9"` | | | cloudsql.instance | string | `""` | | +| cloudsql.resources | object | `{}` | | | cloudsql.use_private_ip | bool | `false` | | | cloudsql.verbose | bool | `true` | | | createPostgresqlSecret | bool | `false` | | @@ -582,7 +584,9 @@ A Helm chart for Kubernetes to install DefectDojo | disableHooks | bool | `false` | | | django.affinity | object | `{}` | | | django.annotations | object | `{}` | | +| django.extraEnv | list | `[]` | | | django.extraInitContainers | list | `[]` | | +| django.extraVolumeMounts | list | `[]` | | | django.extraVolumes | list | `[]` | | | django.ingress.activateTLS | bool | `true` | | | django.ingress.annotations | object | `{}` | | @@ -671,6 +675,7 @@ A Helm chart for Kubernetes to install DefectDojo | monitoring.prometheus.enabled | bool | `false` | | | monitoring.prometheus.image | string | `"nginx/nginx-prometheus-exporter:1.4.2"` | | | monitoring.prometheus.imagePullPolicy | string | `"IfNotPresent"` | | +| monitoring.prometheus.resources | object | `{}` | | | networkPolicy.annotations | object | `{}` | | | networkPolicy.egress | list | `[]` | | | networkPolicy.enabled | bool | `false` | | @@ -717,6 +722,8 @@ A Helm chart for Kubernetes to install DefectDojo | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.labels | object | `{}` | | +| serviceAccount.name | string | `""` | | +| siteUrl | string | `""` | | | tag | string | `"latest"` | | | tests.unitTests.resources.limits.cpu | string | `"500m"` | | | tests.unitTests.resources.limits.memory | string | `"512Mi"` | | diff --git a/helm/defectdojo/values.schema.json b/helm/defectdojo/values.schema.json index 06b105c9d66..8d043b130a0 100644 --- a/helm/defectdojo/values.schema.json +++ b/helm/defectdojo/values.schema.json @@ -31,6 +31,9 @@ } } }, + "alternativeHosts": { + "type": "array" + }, "annotations": { "type": "object" }, @@ -224,6 +227,9 @@ "instance": { "type": "string" }, + "resources": { + "type": "object" + }, "use_private_ip": { "type": "boolean" }, @@ -288,9 +294,15 @@ "annotations": { "type": "object" }, + "extraEnv": { + "type": "array" + }, "extraInitContainers": { "type": "array" }, + "extraVolumeMounts": { + "type": "array" + }, "extraVolumes": { "type": "array" }, @@ -683,6 +695,9 @@ }, "imagePullPolicy": { "type": "string" + }, + "resources": { + "type": "object" } } } @@ -944,9 +959,15 @@ }, "labels": { "type": "object" + }, + "name": { + "type": "string" } } }, + "siteUrl": { + "type": "string" + }, "tag": { "type": "string" }, From 4106e4ad1562c8105ff57996c84700dbc05cea7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Wed, 17 Sep 2025 22:25:44 +0200 Subject: [PATCH 03/13] fix: missing securityContext for initializer job --- helm/defectdojo/README.md | 1 + helm/defectdojo/templates/initializer-job.yaml | 8 +++++--- helm/defectdojo/values.schema.json | 8 ++++++++ helm/defectdojo/values.yaml | 2 ++ 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 82b0c6ea469..e9b0e85455d 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -669,6 +669,7 @@ A Helm chart for Kubernetes to install DefectDojo | initializer.resources.requests.cpu | string | `"100m"` | | | initializer.resources.requests.memory | string | `"256Mi"` | | | initializer.run | bool | `true` | | +| initializer.securityContext.runAsNonRoot | bool | `true` | | | initializer.staticName | bool | `false` | | | initializer.tolerations | list | `[]` | | | monitoring.enabled | bool | `false` | | diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index 668812d1a08..021fe4fd927 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -67,8 +67,10 @@ spec: image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} restartPolicy: Always + {{- if .Values.securityContext.enabled }} securityContext: - runAsNonRoot: true + {{- toYaml .Values.initializer.securityContext | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" @@ -96,7 +98,7 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- toYaml .Values.initializer.securityContext | nindent 10 }} {{- end }} envFrom: - configMapRef: @@ -123,7 +125,7 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- toYaml .Values.initializer.securityContext | nindent 10 }} {{- end }} volumeMounts: {{- if .Values.localsettingspy }} diff --git a/helm/defectdojo/values.schema.json b/helm/defectdojo/values.schema.json index 8d043b130a0..8ad2ae71e64 100644 --- a/helm/defectdojo/values.schema.json +++ b/helm/defectdojo/values.schema.json @@ -670,6 +670,14 @@ "run": { "type": "boolean" }, + "securityContext": { + "type": "object", + "properties": { + "runAsNonRoot": { + "type": "boolean" + } + } + }, "staticName": { "type": "boolean" }, diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 3ed02cf5096..419fe46d110 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -384,6 +384,8 @@ initializer: limits: cpu: 2000m memory: 512Mi + securityContext: + runAsNonRoot: true # Additional environment variables injected to the initializer job pods. extraEnv: [] # Array of additional volume mount points for the initializer job (init)containers. From ca771d4e6f40e21fb6623e6c57f705f03a3ee1b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Mon, 22 Sep 2025 21:59:01 +0200 Subject: [PATCH 04/13] fix: add resources to all cloudsql containers --- helm/defectdojo/templates/celery-beat-deployment.yaml | 3 +++ helm/defectdojo/templates/celery-worker-deployment.yaml | 3 +++ helm/defectdojo/templates/initializer-job.yaml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index 166f6c2afeb..24502529bcd 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -82,6 +82,9 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.cloudsql.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} restartPolicy: Always securityContext: runAsNonRoot: true diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index 4df51442306..cfb426544bd 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -80,6 +80,9 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.cloudsql.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} restartPolicy: Always securityContext: runAsNonRoot: true diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index 021fe4fd927..c5b304bf2c6 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -66,6 +66,9 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.cloudsql.resources }} + resources: {{- . | toYaml | nindent 10 }} + {{- end }} restartPolicy: Always {{- if .Values.securityContext.enabled }} securityContext: From 3a394e145800c25dba54702e17f7cbcf771ac8c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Mon, 22 Sep 2025 22:15:09 +0200 Subject: [PATCH 05/13] chore: add missing explicit namespace --- .../templates/celery-beat-deployment.yaml | 6 +++--- .../templates/celery-worker-deployment.yaml | 3 ++- .../templates/configmap-local-settings-py.yaml | 3 ++- helm/defectdojo/templates/configmap.yaml | 1 + .../defectdojo/templates/django-deployment.yaml | 1 + helm/defectdojo/templates/django-ingress.yaml | 1 + helm/defectdojo/templates/django-service.yaml | 1 + helm/defectdojo/templates/extra-secret.yaml | 1 + .../templates/gke-managed-certificate.yaml | 3 ++- helm/defectdojo/templates/initializer-job.yaml | 1 + helm/defectdojo/templates/media-pvc.yaml | 5 +++-- helm/defectdojo/templates/network-policy.yaml | 2 ++ helm/defectdojo/templates/sa.yaml | 1 + .../defectdojo/templates/secret-postgresql.yaml | 1 + helm/defectdojo/templates/secret-redis.yaml | 1 + helm/defectdojo/templates/secret.yaml | 17 +++++++++-------- helm/defectdojo/values.yaml | 6 +++++- 17 files changed, 37 insertions(+), 17 deletions(-) diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index 24502529bcd..1d49b2790ee 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -59,12 +59,12 @@ spec: volumes: - name: run emptyDir: {} - {{- if .Values.localsettingspy }} + {{- if .Values.localsettingspy }} - name: localsettingspy configMap: name: {{ $fullName }}-localsettingspy {{- end }} - {{- if .Values.django.uwsgi.certificates.enabled }} + {{- if .Values.django.uwsgi.certificates.enabled }} - name: cert-mount configMap: name: {{ .Values.django.uwsgi.certificates.configName }} @@ -126,7 +126,7 @@ spec: volumeMounts: - name: run mountPath: /run/defectdojo - {{- if .Values.localsettingspy }} + {{- if .Values.localsettingspy }} - name: localsettingspy readOnly: true mountPath: /app/dojo/settings/local_settings.py diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index cfb426544bd..bf3f6107ed6 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ $fullName }}-celery-worker + namespace: {{ .Release.Namespace }} labels: defectdojo.org/component: celery defectdojo.org/subcomponent: worker @@ -127,7 +128,7 @@ spec: mountPath: /app/dojo/settings/local_settings.py subPath: file {{- end }} - {{- if .Values.django.uwsgi.certificates.enabled }} + {{- if .Values.django.uwsgi.certificates.enabled }} - name: cert-mount mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }} {{- end }} diff --git a/helm/defectdojo/templates/configmap-local-settings-py.yaml b/helm/defectdojo/templates/configmap-local-settings-py.yaml index dc75942fbc0..3b4668892de 100644 --- a/helm/defectdojo/templates/configmap-local-settings-py.yaml +++ b/helm/defectdojo/templates/configmap-local-settings-py.yaml @@ -1,9 +1,10 @@ -{{- if .Values.localsettingspy }} +{{- if .Values.localsettingspy }} {{- $fullName := include "defectdojo.fullname" . -}} apiVersion: v1 kind: ConfigMap metadata: name: {{ $fullName }}-localsettingspy + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/defectdojo/templates/configmap.yaml b/helm/defectdojo/templates/configmap.yaml index d1808d4b5ff..dc7fc61d2ff 100644 --- a/helm/defectdojo/templates/configmap.yaml +++ b/helm/defectdojo/templates/configmap.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ $fullName }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index 7ab806cc524..e3da3d664ad 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ $fullName }}-django + namespace: {{ .Release.Namespace }} labels: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" . }} diff --git a/helm/defectdojo/templates/django-ingress.yaml b/helm/defectdojo/templates/django-ingress.yaml index 4a0209d15a2..40ce2de9bcd 100644 --- a/helm/defectdojo/templates/django-ingress.yaml +++ b/helm/defectdojo/templates/django-ingress.yaml @@ -4,6 +4,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ $fullName }} + namespace: {{ .Release.Namespace }} labels: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" . }} diff --git a/helm/defectdojo/templates/django-service.yaml b/helm/defectdojo/templates/django-service.yaml index f8c20aa092f..adc3ad0e166 100644 --- a/helm/defectdojo/templates/django-service.yaml +++ b/helm/defectdojo/templates/django-service.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Service metadata: name: {{ $fullName }}-django + namespace: {{ .Release.Namespace }} labels: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" . }} diff --git a/helm/defectdojo/templates/extra-secret.yaml b/helm/defectdojo/templates/extra-secret.yaml index d97800283a6..d1c203fecb1 100644 --- a/helm/defectdojo/templates/extra-secret.yaml +++ b/helm/defectdojo/templates/extra-secret.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $fullName }}-extrasecrets + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/defectdojo/templates/gke-managed-certificate.yaml b/helm/defectdojo/templates/gke-managed-certificate.yaml index 43399626310..a27ff9d063f 100644 --- a/helm/defectdojo/templates/gke-managed-certificate.yaml +++ b/helm/defectdojo/templates/gke-managed-certificate.yaml @@ -1,9 +1,10 @@ -{{- if .Values.gke.useManagedCertificate }} +{{- if .Values.gke.useManagedCertificate | and (.Capabilities.APIVersions.Has "networking.gke.io/v1") }} {{- $fullName := include "defectdojo.fullname" . -}} apiVersion: networking.gke.io/v1 kind: ManagedCertificate metadata: name: {{ $fullName }}-django + namespace: {{ .Release.Namespace }} spec: domains: - {{ .Values.host }} diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index c5b304bf2c6..93b42695e36 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -4,6 +4,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ template "initializer.jobname" . }} + namespace: {{ .Release.Namespace }} labels: defectdojo.org/component: initializer app.kubernetes.io/name: {{ include "defectdojo.name" . }} diff --git a/helm/defectdojo/templates/media-pvc.yaml b/helm/defectdojo/templates/media-pvc.yaml index d31d3251b44..ba95538f6df 100644 --- a/helm/defectdojo/templates/media-pvc.yaml +++ b/helm/defectdojo/templates/media-pvc.yaml @@ -1,6 +1,6 @@ {{- $fullName := include "django.pvc_name" $ -}} {{ with .Values.django.mediaPersistentVolume }} -{{- if and .enabled (eq .type "pvc") .persistentVolumeClaim.create }} +{{- if and .enabled (eq .type "pvc") .persistentVolumeClaim.create }} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -14,9 +14,10 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ $fullName }} + namespace: {{ .Release.Namespace }} spec: accessModes: - {{- toYaml .persistentVolumeClaim.accessModes |nindent 4 }} + {{- toYaml .persistentVolumeClaim.accessModes | nindent 4 }} resources: requests: storage: {{ .persistentVolumeClaim.size }} diff --git a/helm/defectdojo/templates/network-policy.yaml b/helm/defectdojo/templates/network-policy.yaml index e580a0df80c..33768143718 100644 --- a/helm/defectdojo/templates/network-policy.yaml +++ b/helm/defectdojo/templates/network-policy.yaml @@ -4,6 +4,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ $fullName }}-networkpolicy + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -44,6 +45,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ $fullName }}-networkpolicy-django + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} diff --git a/helm/defectdojo/templates/sa.yaml b/helm/defectdojo/templates/sa.yaml index 4345da6360a..25a10651dcd 100644 --- a/helm/defectdojo/templates/sa.yaml +++ b/helm/defectdojo/templates/sa.yaml @@ -3,6 +3,7 @@ kind: ServiceAccount apiVersion: v1 metadata: name: {{ include "defectdojo.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/defectdojo/templates/secret-postgresql.yaml b/helm/defectdojo/templates/secret-postgresql.yaml index 12924bb29c5..f8893418ba1 100644 --- a/helm/defectdojo/templates/secret-postgresql.yaml +++ b/helm/defectdojo/templates/secret-postgresql.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Values.postgresql.auth.existingSecret }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/defectdojo/templates/secret-redis.yaml b/helm/defectdojo/templates/secret-redis.yaml index f6d102c2513..28b87d9af8d 100644 --- a/helm/defectdojo/templates/secret-redis.yaml +++ b/helm/defectdojo/templates/secret-redis.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Values.redis.auth.existingSecret }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm/defectdojo/templates/secret.yaml b/helm/defectdojo/templates/secret.yaml index c3a3c56f6c4..2f79c70ebf2 100644 --- a/helm/defectdojo/templates/secret.yaml +++ b/helm/defectdojo/templates/secret.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $fullName }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -28,22 +29,22 @@ type: Opaque data: {{- if .Values.admin.password }} DD_ADMIN_PASSWORD: {{ .Values.admin.password | b64enc | quote }} -{{- else}} +{{- else }} DD_ADMIN_PASSWORD: {{ randAlphaNum 22 | b64enc | quote }} -{{- end}} +{{- end }} {{- if .Values.admin.secretKey }} DD_SECRET_KEY: {{ .Values.admin.secretKey | b64enc | quote }} -{{- else}} +{{- else }} DD_SECRET_KEY: {{ randAlphaNum 128 | b64enc | quote }} -{{- end}} +{{- end }} {{- if .Values.admin.credentialAes256Key }} DD_CREDENTIAL_AES_256_KEY: {{ .Values.admin.credentialAes256Key | b64enc | quote }} -{{- else}} +{{- else }} DD_CREDENTIAL_AES_256_KEY: {{ randAlphaNum 128 | b64enc | quote }} -{{- end}} +{{- end }} {{- if .Values.admin.metricsHttpAuthPassword }} METRICS_HTTP_AUTH_PASSWORD: {{ .Values.admin.metricsHttpAuthPassword | b64enc | quote }} -{{- else}} +{{- else }} METRICS_HTTP_AUTH_PASSWORD: {{ randAlphaNum 32 | b64enc | quote }} -{{- end}} +{{- end }} {{- end }} diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 419fe46d110..51bcba16835 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -504,12 +504,13 @@ redis: # DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED: 'true' # DD_SOCIAL_AUTH_AUTH0_KEY: 'dev' # DD_SOCIAL_AUTH_AUTH0_DOMAIN: 'xxxxx' +extraConfigs: {} # Extra secrets can be created inside of extraSecrets block: # NOTE This is just an exmaple, do not store sensitive data in plain text form, better inject it during the deployment/upgrade by --set extraSecrets.secret=someSecret # extraSecrets: # DD_SOCIAL_AUTH_AUTH0_SECRET: 'xxx' -extraConfigs: {} +extraSecrets: {} # To add (or override) extra variables which need to be pulled from another configMap, you can # use extraEnv. For example: @@ -519,6 +520,7 @@ extraConfigs: {} # configMapKeyRef: # name: my-other-postgres-configmap # key: cluster_endpoint +extraEnv: {} # To add code snippet which would extend setting functionality, you might add it here # It will be stored as ConfigMap and mounted `dojo/settings/local_settings.py`. @@ -531,6 +533,8 @@ extraConfigs: {} # MIDDLEWARE = [ # 'debug_toolbar.middleware.DebugToolbarMiddleware', # ] + MIDDLEWARE +localsettingspy: "" + # # External database support. # From a4bab223602fe6961612ce8b4742d6ebde37b50b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Tue, 23 Sep 2025 01:13:38 +0200 Subject: [PATCH 06/13] chore: refactor, split container and pod security context --- helm/defectdojo/templates/_helpers.tpl | 95 +++++++++++++++---- .../templates/celery-beat-deployment.yaml | 50 ++++++---- .../templates/celery-worker-deployment.yaml | 51 ++++++---- .../configmap-local-settings-py.yaml | 13 ++- helm/defectdojo/templates/configmap.yaml | 20 ++-- .../templates/django-deployment.yaml | 83 ++++++++++------ helm/defectdojo/templates/django-ingress.yaml | 35 +++---- helm/defectdojo/templates/django-service.yaml | 20 ++-- helm/defectdojo/templates/extra-secret.yaml | 23 ++--- .../templates/gke-managed-certificate.yaml | 12 +++ .../defectdojo/templates/initializer-job.yaml | 44 ++++++--- helm/defectdojo/templates/media-pvc.yaml | 10 +- helm/defectdojo/templates/network-policy.yaml | 36 ++++--- helm/defectdojo/templates/sa.yaml | 30 +++--- .../templates/secret-postgresql.yaml | 25 +++-- helm/defectdojo/templates/secret-redis.yaml | 25 +++-- helm/defectdojo/templates/secret.yaml | 25 +++-- helm/defectdojo/values.yaml | 74 +++++++++++---- 18 files changed, 433 insertions(+), 238 deletions(-) diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index e7ac6a1a4d6..dd2e9549b7e 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -1,15 +1,15 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. +{{- /* vim: set filetype=mustache: */}} +{{- /* + Expand the name of the chart. */}} {{- define "defectdojo.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. +{{- /* + Create a default fully qualified app name. + We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). + If release name contains chart name it will be used as a full name. */}} {{- define "defectdojo.fullname" -}} {{- if .Values.fullnameOverride -}} @@ -24,15 +24,15 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} -{{/* -Create chart name and version as used by the chart label. +{{- /* + Create chart name and version as used by the chart label. */}} {{- define "defectdojo.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{/* -Create the name of the service account to use +{{- /* + Create the name of the service account to use */}} {{- define "defectdojo.serviceAccountName" -}} {{- if .Values.serviceAccount.create -}} @@ -42,7 +42,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Determine the hostname to use for PostgreSQL/Redis. */}} {{- define "postgresql.hostname" -}} @@ -67,7 +67,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Determine the protocol to use for Redis. */}} {{- define "redis.scheme" -}} @@ -82,7 +82,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Builds the repository names for use with local or private registries */}} {{- define "celery.repository" -}} @@ -109,7 +109,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Creates the array for DD_ALLOWED_HOSTS in configmap */}} {{- define "django.allowed_hosts" -}} @@ -121,7 +121,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Creates the persistentVolumeName */}} {{- define "django.pvc_name" -}} @@ -132,7 +132,7 @@ Create the name of the service account to use {{- end -}} {{- end -}} -{{/* +{{- /* Define db-migration-checker */}} {{- define "dbMigrationChecker" -}} @@ -145,7 +145,11 @@ Create the name of the service account to use imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 4 }} + {{- include "helpers.securityContext" (list + .Values + "dbMigrationChecker.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 4 }} {{- end }} envFrom: - configMapRef: @@ -163,13 +167,64 @@ Create the name of the service account to use secretKeyRef: name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }} key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }} - {{- with.Values.django.extraEnv }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- with.Values.dbMigrationChecker.extraEnv }} {{- toYaml . | nindent 2 }} {{- end }} resources: {{- toYaml .Values.dbMigrationChecker.resources | nindent 4 }} - {{- with .Values.django.extraVolumeMounts }} + {{- with .Values.dbMigrationChecker.extraVolumeMounts }} volumeMounts: {{- . | toYaml | nindent 4 }} {{- end }} {{- end -}} + +{{- /* +Returns the JSON representation of the value for a dot-notation path +from a given context. + Args: + 1: context (e.g., .Values) + 2: path (e.g., "foo.bar") +*/}} +{{- define "helpers.getValue" -}} + {{- $ctx := merge dict (index . 0) -}} + {{- $path := index . 1 -}} + {{- $parts := splitList "." $path -}} + {{- $value := $ctx -}} + {{- range $idx, $part := $parts -}} + {{- if kindIs "map" $value -}} + {{- $value = index $value $part -}} + {{- else -}} + {{- $value = "" -}} + {{- /* Exit early by setting to last iteration */}} + {{- $idx = sub (len $parts) 1 -}} + {{- end -}} + {{- end -}} + {{- toJson $value -}} +{{- end -}} + +{{- /* + Build the security context. + Args: + 1: values context (.Values) + 2: the key under the context (e.g., "foo.bar") + 3: the security context key (e.g. "securityContext.containerSecurityContext") +*/}} +{{- define "helpers.securityContext" -}} +{{- $securityContext := dict -}} +{{- $values := merge dict (index . 0) -}} +{{- $path := index . 1 -}} +{{- $sctx := index . 2 -}} +{{- with $values }} + {{- $securityContext = (merge + $securityContext + (include "helpers.getValue" (list $values $sctx) | fromJson) + (include "helpers.getValue" (list $values $path) | fromJson) + ) -}} +{{- end -}} +{{- with $securityContext -}} +{{- . | toYaml | nindent 2 -}} +{{- end -}} +{{- end -}} diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index 1d49b2790ee..7e1c505bab3 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -2,7 +2,12 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ $fullName }}-celery-beat + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.celery.annotations .Values.celery.beat.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: celery defectdojo.org/subcomponent: beat @@ -10,13 +15,11 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with mergeOverwrite .Values.celery.annotations .Values.celery.beat.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + name: {{ $fullName }}-celery-beat + namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.celery.beat.replicas }} {{- with .Values.revisionHistoryLimit }} @@ -35,15 +38,12 @@ spec: defectdojo.org/subcomponent: beat app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraLabels .Values.podLabels }} + {{ $key }}: {{ quote $value }} {{- end }} annotations: - {{- with mergeOverwrite .Values.celery.annotations .Values.celery.beat.podAnnotations }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.celery.annotations .Values.celery.beat.podAnnotations }} + {{ $key }}: {{ quote $value }} {{- end }} {{- if eq (.Values.trackConfig | default "disabled") "enabled" }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} @@ -51,6 +51,14 @@ spec: checksum/esecret: {{ include (print $.Template.BasePath "/extra-secret.yaml") . | sha256sum }} {{- end }} spec: + {{- if .Values.securityContext.enabled }} + securityContext: + {{- include "helpers.securityContext" (list + .Values + "celery.beat.podSecurityContext" + "securityContext.podSecurityContext" + ) | nindent 8 }} + {{- end }} serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -86,8 +94,14 @@ spec: resources: {{- . | toYaml | nindent 10 }} {{- end }} restartPolicy: Always + {{- if .Values.securityContext.enabled }} securityContext: - runAsNonRoot: true + {{- include "helpers.securityContext" (list + .Values + "cloudsql.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" @@ -121,7 +135,11 @@ spec: {{- end }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "celery.beat.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} {{- end }} volumeMounts: - name: run diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index bf3f6107ed6..30de8474666 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -2,8 +2,12 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ $fullName }}-celery-worker - namespace: {{ .Release.Namespace }} + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.celery.annotations .Values.celery.worker.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: celery defectdojo.org/subcomponent: worker @@ -11,13 +15,11 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with mergeOverwrite .Values.celery.annotations .Values.celery.worker.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + name: {{ $fullName }}-celery-worker + namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.celery.worker.replicas }} {{- with .Values.revisionHistoryLimit }} @@ -36,15 +38,12 @@ spec: defectdojo.org/subcomponent: worker app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraLabels .Values.podLabels }} + {{ $key }}: {{ quote $value }} {{- end }} annotations: - {{- with mergeOverwrite .Values.celery.annotations .Values.celery.worker.podAnnotations }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.celery.annotations .Values.celery.worker.podAnnotations }} + {{ $key }}: {{ quote $value }} {{- end }} {{- if eq (.Values.trackConfig | default "disabled") "enabled" }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} @@ -52,6 +51,14 @@ spec: checksum/esecret: {{ include (print $.Template.BasePath "/extra-secret.yaml") . | sha256sum }} {{- end }} spec: + {{- if .Values.securityContext.enabled }} + securityContext: + {{- include "helpers.securityContext" (list + .Values + "celery.worker.podSecurityContext" + "securityContext.podSecurityContext" + ) | nindent 8 }} + {{- end }} serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -85,8 +92,14 @@ spec: resources: {{- . | toYaml | nindent 10 }} {{- end }} restartPolicy: Always + {{- if .Values.securityContext.enabled }} securityContext: - runAsNonRoot: true + {{- include "helpers.securityContext" (list + .Values + "cloudsql.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" @@ -118,7 +131,11 @@ spec: {{- end }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "celery.worker.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} {{- end }} command: ['/entrypoint-celery-worker.sh'] volumeMounts: diff --git a/helm/defectdojo/templates/configmap-local-settings-py.yaml b/helm/defectdojo/templates/configmap-local-settings-py.yaml index 3b4668892de..30c42244251 100644 --- a/helm/defectdojo/templates/configmap-local-settings-py.yaml +++ b/helm/defectdojo/templates/configmap-local-settings-py.yaml @@ -3,13 +3,22 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ $fullName }}-localsettingspy - namespace: {{ .Release.Namespace }} + {{- with .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- with .Values.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ $fullName }}-localsettingspy + namespace: {{ .Release.Namespace }} data: file: {{ toYaml .Values.localsettingspy | indent 4 }} diff --git a/helm/defectdojo/templates/configmap.yaml b/helm/defectdojo/templates/configmap.yaml index dc7fc61d2ff..77a5905e3a3 100644 --- a/helm/defectdojo/templates/configmap.yaml +++ b/helm/defectdojo/templates/configmap.yaml @@ -3,22 +3,22 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ $fullName }} - namespace: {{ .Release.Namespace }} + {{- with .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} -{{- if .Values.annotations }} - annotations: -{{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} data: DD_ADMIN_USER: {{ .Values.admin.user | default "admin" }} DD_ADMIN_MAIL: {{ .Values.admin.Mail | default "admin@defectdojo.local" }} diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index e3da3d664ad..22d518ae200 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -2,21 +2,23 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ $fullName }}-django - namespace: {{ .Release.Namespace }} + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.django.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with .Values.django.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + name: {{ $fullName }}-django + namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.django.replicas }} {{- with .Values.django.strategy }} @@ -37,15 +39,12 @@ spec: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} + {{- range $key, $value := mergeOverwrite dict .Values.extraLabels .Values.podLabels }} + {{ $key }}: {{ quote $value }} + {{- end }} annotations: - {{- with .Values.django.annotations }} - {{- toYaml . | nindent 8 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.django.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} {{- if and .Values.monitoring.enabled .Values.monitoring.prometheus.enabled }} prometheus.io/path: /metrics @@ -65,8 +64,14 @@ spec: - name: {{ quote . }} {{- end }} {{- if .Values.django.mediaPersistentVolume.enabled }} + {{- if .Values.securityContext.enabled }} securityContext: - fsGroup: {{ .Values.django.mediaPersistentVolume.fsGroup | default 1001 }} + {{- include "helpers.securityContext" (list + .Values + "django.podSecurityContext" + "securityContext.podSecurityContext" + ) | nindent 8 }} + {{- end }} {{- end }} volumes: - name: run @@ -102,19 +107,21 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} - {{- with .Values.django.extraEnv }} + {{- with .Values.cloudsql.extraEnv }} env: {{- . | toYaml | nindent 8 }} {{- end }} {{- with .Values.cloudsql.resources }} resources: {{- . | toYaml | nindent 10 }} {{- end }} restartPolicy: Always + {{- if .Values.securityContext.enabled }} securityContext: - {{- if .Values.securityContext.enabled }} - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} - {{- else }} - runAsNonRoot: true - {{- end }} + {{- include "helpers.securityContext" (list + .Values + "cloudsql.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" @@ -125,7 +132,7 @@ spec: {{- if .Values.cloudsql.use_private_ip }} - "-ip_address_types=PRIVATE" {{- end }} - {{- with .Values.django.extraVolumeMounts }} + {{- with .Values.cloudsql.extraVolumeMounts }} volumeMounts: {{ . | toYaml | nindent 10 }} {{- end }} {{- end }} @@ -144,7 +151,7 @@ spec: - /usr/bin/nginx-prometheus-exporter - --nginx.scrape-uri - http://127.0.0.1:8080/nginx_status - {{- with .Values.django.extraEnv }} + {{- with .Values.monitoring.prometheus.extraEnv }} env: {{- . | toYaml | nindent 8 }} {{- end }} ports: @@ -163,9 +170,13 @@ spec: {{- end }} {{- if .Values.securityContext.enabled }} securityContext: - {{- .Values.securityContext.djangoSecurityContext | toYaml | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "monitoring.prometheus.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} {{- end }} - {{- with .Values.django.extraVolumeMounts }} + {{- with .Values.monitoring.prometheus.extraVolumeMounts }} volumeMounts: {{ . | toYaml | nindent 10 }} {{- end }} {{- end }} @@ -174,7 +185,11 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "django.uwsgi.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} {{- end }} volumeMounts: - name: run @@ -242,6 +257,9 @@ spec: value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }} - name: DD_CSRF_COOKIE_SECURE value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }} + {{- with .Values.extraEnv }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} @@ -269,7 +287,11 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.securityContext.nginxSecurityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "django.nginx.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} {{- end }} volumeMounts: - name: run @@ -301,6 +323,9 @@ spec: value: '{{ .Values.django.nginx.tls.enabled }}' - name: GENERATE_TLS_CERTIFICATE value: '{{ .Values.django.nginx.tls.generateCertificate }}' + {{- with .Values.extraEnv }} + {{- . | toYaml | nindent 8 }} + {{- end }} {{- with .Values.django.extraEnv }} {{- . | toYaml | nindent 8 }} {{- end }} diff --git a/helm/defectdojo/templates/django-ingress.yaml b/helm/defectdojo/templates/django-ingress.yaml index 40ce2de9bcd..aee880f23d9 100644 --- a/helm/defectdojo/templates/django-ingress.yaml +++ b/helm/defectdojo/templates/django-ingress.yaml @@ -3,29 +3,32 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $fullName }} - namespace: {{ .Release.Namespace }} - labels: - defectdojo.org/component: django - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -{{- if or .Values.django.ingress.annotations .Values.gke.useGKEIngress }} + {{- if or .Values.extraAnnotations .Values.django.ingress.annotations .Values.gke.useGKEIngress }} annotations: -{{- with .Values.django.ingress.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} + {{- range $key, $value := .Values.extraAnnotations }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- range $key, $value := .Values.django.ingress.annotations }} + {{ $key }}: {{ quote $value }} + {{- end }} {{- if .Values.gke.useGKEIngress }} {{- if .Values.gke.useManagedCertificate }} kubernetes.io/ingress.allow-http: "false" networking.gke.io/managed-certificates: {{ $fullName }}-django {{- end }} {{- end }} -{{- end }} + {{- end }} + labels: + defectdojo.org/component: django + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} + {{- end }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} spec: {{- if .Values.django.ingress.ingressClassName }} ingressClassName: {{ .Values.django.ingress.ingressClassName }} diff --git a/helm/defectdojo/templates/django-service.yaml b/helm/defectdojo/templates/django-service.yaml index adc3ad0e166..5f966c15edc 100644 --- a/helm/defectdojo/templates/django-service.yaml +++ b/helm/defectdojo/templates/django-service.yaml @@ -2,23 +2,23 @@ apiVersion: v1 kind: Service metadata: - name: {{ $fullName }}-django - namespace: {{ .Release.Namespace }} + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.django.service.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} labels: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} -{{- if .Values.django.service.annotations }} - annotations: - {{- range $key, $value := .Values.django.service.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} + name: {{ $fullName }}-django + namespace: {{ .Release.Namespace }} spec: selector: defectdojo.org/component: django diff --git a/helm/defectdojo/templates/extra-secret.yaml b/helm/defectdojo/templates/extra-secret.yaml index d1c203fecb1..caa5b1fcbfa 100644 --- a/helm/defectdojo/templates/extra-secret.yaml +++ b/helm/defectdojo/templates/extra-secret.yaml @@ -3,25 +3,22 @@ apiVersion: v1 kind: Secret metadata: - name: {{ $fullName }}-extrasecrets - namespace: {{ .Release.Namespace }} + {{- with mergeOverwrite dict .Values.secrets.annotations .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} labels: app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- if or .Values.secrets.annotations .Values.annotations }} - annotations: - {{- with .Values.secrets.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} + name: {{ $fullName }}-extrasecrets + namespace: {{ .Release.Namespace }} type: Opaque data: {{- range $key, $value := .Values.extraSecrets }} diff --git a/helm/defectdojo/templates/gke-managed-certificate.yaml b/helm/defectdojo/templates/gke-managed-certificate.yaml index a27ff9d063f..14dc539e6b7 100644 --- a/helm/defectdojo/templates/gke-managed-certificate.yaml +++ b/helm/defectdojo/templates/gke-managed-certificate.yaml @@ -3,6 +3,18 @@ apiVersion: networking.gke.io/v1 kind: ManagedCertificate metadata: + {{- with .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} + {{- with .Values.extraLabels }} + labels: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} name: {{ $fullName }}-django namespace: {{ .Release.Namespace }} spec: diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index 93b42695e36..8f360d6f43e 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -3,21 +3,23 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ template "initializer.jobname" . }} - namespace: {{ .Release.Namespace }} + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.initializer.jobAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: initializer app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - annotations: - {{- with .Values.initializer.jobAnnotations }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} + name: {{ template "initializer.jobname" . }} + namespace: {{ .Release.Namespace }} spec: {{- if and (int .Values.initializer.keepSeconds) (gt (int .Values.initializer.keepSeconds) 0) }} ttlSecondsAfterFinished: {{ .Values.initializer.keepSeconds }} @@ -39,6 +41,14 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.securityContext.enabled }} + securityContext: + {{- include "helpers.securityContext" (list + .Values + "initializer.podSecurityContext" + "securityContext.podSecurityContext" + ) | nindent 8 }} + {{- end }} serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} {{- with .Values.imagePullSecrets }} imagePullSecrets: @@ -73,7 +83,11 @@ spec: restartPolicy: Always {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.initializer.securityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "cloudsql.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} {{- end }} command: ["/cloud_sql_proxy"] args: @@ -102,7 +116,11 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.initializer.securityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "django.uwsgi.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} {{- end }} envFrom: - configMapRef: @@ -129,7 +147,11 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} {{- if .Values.securityContext.enabled }} securityContext: - {{- toYaml .Values.initializer.securityContext | nindent 10 }} + {{- include "helpers.securityContext" (list + .Values + "initializer.containerSecurityContext" + "securityContext.containerSecurityContext" + ) | nindent 10 }} {{- end }} volumeMounts: {{- if .Values.localsettingspy }} diff --git a/helm/defectdojo/templates/media-pvc.yaml b/helm/defectdojo/templates/media-pvc.yaml index ba95538f6df..57fcae8e0c7 100644 --- a/helm/defectdojo/templates/media-pvc.yaml +++ b/helm/defectdojo/templates/media-pvc.yaml @@ -4,14 +4,20 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: + {{- with .Values.extraAnnotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: defectdojo.org/component: django app.kubernetes.io/name: {{ include "defectdojo.name" $ }} app.kubernetes.io/instance: {{ $.Release.Name }} app.kubernetes.io/managed-by: {{ $.Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" $ }} - {{- with $.Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} name: {{ $fullName }} namespace: {{ .Release.Namespace }} diff --git a/helm/defectdojo/templates/network-policy.yaml b/helm/defectdojo/templates/network-policy.yaml index 33768143718..333b58da3e6 100644 --- a/helm/defectdojo/templates/network-policy.yaml +++ b/helm/defectdojo/templates/network-policy.yaml @@ -3,22 +3,22 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ $fullName }}-networkpolicy - namespace: {{ .Release.Namespace }} + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.networkPolicy.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} app.kubernetes.io/name: {{ include "defectdojo.name" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} -{{- if .Values.networkPolicy.annotations }} - annotations: -{{- with .Values.networkPolicy.annotations }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} + name: {{ $fullName }}-networkpolicy + namespace: {{ .Release.Namespace }} spec: podSelector: matchLabels: @@ -44,16 +44,22 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ $fullName }}-networkpolicy-django - namespace: {{ .Release.Namespace }} + {{- with mergeOverwrite dict .Values.extraAnnotations .Values.networkPolicy.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ quote $value }} + {{- end }} + {{- end }} labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} app.kubernetes.io/name: {{ include "defectdojo.name" . }} -{{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} -{{- end }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} + {{- end }} + name: {{ $fullName }}-networkpolicy-django + namespace: {{ .Release.Namespace }} spec: podSelector: matchLabels: diff --git a/helm/defectdojo/templates/sa.yaml b/helm/defectdojo/templates/sa.yaml index 25a10651dcd..1394f077945 100644 --- a/helm/defectdojo/templates/sa.yaml +++ b/helm/defectdojo/templates/sa.yaml @@ -2,32 +2,26 @@ kind: ServiceAccount apiVersion: v1 metadata: - name: {{ include "defectdojo.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.serviceAccount.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} annotations: {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" {{- end }} - {{- with .Values.annotations }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.serviceAccount.annotations }} - {{ toYaml . | nindent 4 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.serviceAccount.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} {{- if ne .Values.gke.workloadIdentityEmail "" }} iam.gke.io/gcp-service-account: {{ .Values.gke.workloadIdentityEmail }} {{- end }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := mergeOverwrite dict .Values.extraLabels .Values.serviceAccount.labels }} + {{ $key }}: {{ quote $value }} + {{- end }} + name: {{ include "defectdojo.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} {{- end }} \ No newline at end of file diff --git a/helm/defectdojo/templates/secret-postgresql.yaml b/helm/defectdojo/templates/secret-postgresql.yaml index f8893418ba1..57f38a0e883 100644 --- a/helm/defectdojo/templates/secret-postgresql.yaml +++ b/helm/defectdojo/templates/secret-postgresql.yaml @@ -2,28 +2,25 @@ apiVersion: v1 kind: Secret metadata: - name: {{ .Values.postgresql.auth.existingSecret }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} annotations: {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" {{- end }} - {{- with .Values.secrets.annotations }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} + name: {{ .Values.postgresql.auth.existingSecret }} + namespace: {{ .Release.Namespace }} type: Opaque data: {{- if .Values.postgresql.auth.password }} diff --git a/helm/defectdojo/templates/secret-redis.yaml b/helm/defectdojo/templates/secret-redis.yaml index 28b87d9af8d..b2a5a3a84c2 100644 --- a/helm/defectdojo/templates/secret-redis.yaml +++ b/helm/defectdojo/templates/secret-redis.yaml @@ -2,28 +2,25 @@ apiVersion: v1 kind: Secret metadata: - name: {{ .Values.redis.auth.existingSecret }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} annotations: {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" {{- end }} - {{- with .Values.secrets.annotations }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} + name: {{ .Values.redis.auth.existingSecret }} + namespace: {{ .Release.Namespace }} type: Opaque data: {{- if .Values.redis.auth.password }} diff --git a/helm/defectdojo/templates/secret.yaml b/helm/defectdojo/templates/secret.yaml index 2f79c70ebf2..3a4a5299d64 100644 --- a/helm/defectdojo/templates/secret.yaml +++ b/helm/defectdojo/templates/secret.yaml @@ -3,28 +3,25 @@ apiVersion: v1 kind: Secret metadata: - name: {{ $fullName }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- with .Values.extraLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} annotations: {{- if (not .Values.disableHooks) }} helm.sh/resource-policy: keep helm.sh/hook: "pre-install" helm.sh/hook-delete-policy: "before-hook-creation" {{- end }} - {{- with .Values.secrets.annotations }} - {{- toYaml . | nindent 4 }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} + {{ $key }}: {{ quote $value }} {{- end }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} {{- end }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} type: Opaque data: {{- if .Values.admin.password }} diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 51bcba16835..adca57b42ec 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -1,5 +1,12 @@ --- -# Global settings +# Security context settings +securityContext: + enabled: true + containerSecurityContext: + runAsNonRoot: true + podSecurityContext: + runAsNonRoot: true + # create defectdojo specific secret createSecret: false # create redis secret in defectdojo chart, outside of redis chart @@ -15,8 +22,10 @@ createPostgresqlSecret: false # Avoid using pre-install hooks, which might cause issues with ArgoCD disableHooks: false +# Annotations globally added to all resources +extraAnnotations: {} +# Labels globally added to all resources extraLabels: {} -# Add extra labels for k8s # Enables application network policy # For more info follow https://kubernetes.io/docs/concepts/services-networking/network-policies/ @@ -80,15 +89,6 @@ podLabels: {} # Allow overriding of revisionHistoryLimit across all deployments. revisionHistoryLimit: 10 -securityContext: - enabled: true - djangoSecurityContext: - # django dockerfile sets USER=1001 - runAsUser: 1001 - nginxSecurityContext: - # nginx dockerfile sets USER=1001 - runAsUser: 1001 - serviceAccount: # Specifies whether a service account should be created. create: true @@ -104,7 +104,15 @@ serviceAccount: labels: {} dbMigrationChecker: + # Enable/disable the DB migration checker. enabled: true + # Container security context for the DB migration checker. + containerSecurityContext: {} + # Additional environment variables for DB migration checker. + extraEnv: [] + # Array of additional volume mount points for DB migration checker. + extraVolumeMounts: [] + # Resource requests/limits for the DB migration checker. resources: requests: cpu: 100m @@ -135,14 +143,19 @@ admin: monitoring: enabled: false - # Add the nginx prometheus exporter sidecar prometheus: + # Add the nginx prometheus exporter sidecar enabled: false image: nginx/nginx-prometheus-exporter:1.4.2 imagePullPolicy: IfNotPresent + # Optional: container security context for nginx prometheus exporter + containerSecurityContext: {} + # Optional: additional environment variables injected to the nginx prometheus exporter container + extraEnv: [] + # Array of additional volume mount points for the nginx prometheus exporter + extraVolumeMounts: [] # Optional: add resource requests/limits for the nginx prometheus exporter container resources: {} -annotations: {} secrets: # Add annotations for secret resources @@ -158,6 +171,8 @@ celery: # Annotations for the Celery beat deployment. annotations: {} affinity: {} + # Container security context for the Celery beat containers. + containerSecurityContext: {} # Additional environment variables injected to Celery beat containers. extraEnv: [] # A list of additional initContainers to run before celery beat containers. @@ -180,6 +195,8 @@ celery: nodeSelector: {} # Annotations for the Celery beat pods. podAnnotations: {} + # Pod security context for the Celery beat pods. + podSecurityContext: {} # Enable readiness probe for Celery beat container. readinessProbe: {} replicas: 1 @@ -197,6 +214,8 @@ celery: # Annotations for the Celery worker deployment. annotations: {} affinity: {} + # Container security context for the Celery worker containers. + containerSecurityContext: {} # Additional environment variables injected to Celery worker containers. extraEnv: [] # A list of additional initContainers to run before celery worker containers. @@ -219,6 +238,8 @@ celery: nodeSelector: {} # Annotations for the Celery beat pods. podAnnotations: {} + # Pod security context for the Celery worker pods. + podSecurityContext: {} # Enable readiness probe for Celery worker container. readinessProbe: {} replicas: 1 @@ -248,6 +269,9 @@ django: annotations: {} type: "" affinity: {} + # Pod security context for the Django pods. + podSecurityContext: + fsGroup: 1001 ingress: enabled: true ingressClassName: "" @@ -260,6 +284,10 @@ django: # nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" # nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" nginx: + # Container security context for the nginx containers. + containerSecurityContext: &nginxSecurityContext + # nginx dockerfile sets USER=1001 + runAsUser: 1001 # To extra environment variables to the nginx container, you can use extraEnv. For example: # extraEnv: # - name: FOO @@ -285,6 +313,9 @@ django: strategy: {} tolerations: [] uwsgi: + containerSecurityContext: &djangoSecurityContext + # django dockerfile sets USER=1001 + runAsUser: 1001 # To add (or override) extra variables which need to be pulled from another configMap, you can # use extraEnv. For example: # extraEnv: @@ -384,14 +415,16 @@ initializer: limits: cpu: 2000m memory: 512Mi - securityContext: - runAsNonRoot: true + # Container security context for the initializer Job container + containerSecurityContext: {} # Additional environment variables injected to the initializer job pods. extraEnv: [] # Array of additional volume mount points for the initializer job (init)containers. extraVolumeMounts: [] # A list of extra volumes to attach to the initializer job pods. extraVolumes: [] + # Pod security context for the initializer Job + podSecurityContext: {} # staticName defines whether name of the job will be the same (e.g., "defectdojo-initializer") # or different every time - generated based on current time (e.g., "defectdojo-initializer-2024-11-11-18-57") @@ -457,7 +490,14 @@ cloudsql: enable_iam_login: false # whether to use a private IP to connect to the database use_private_ip: false - # Optional: add resource requests/limits for the CloudSQL proxy container + # Optional: security context for the CloudSQL proxy container. + containerSecurityContext: + + # Additional environment variables for the CloudSQL proxy container. + extraEnv: [] + # Array of additional volume mount points for the CloudSQL proxy container + extraVolumeMounts: [] + # Optional: add resource requests/limits for the CloudSQL proxy container. resources: {} # Settings to make running the chart on GKE simpler @@ -520,7 +560,7 @@ extraSecrets: {} # configMapKeyRef: # name: my-other-postgres-configmap # key: cluster_endpoint -extraEnv: {} +extraEnv: [] # To add code snippet which would extend setting functionality, you might add it here # It will be stored as ConfigMap and mounted `dojo/settings/local_settings.py`. From 7240a843b3ffbabb92f71984004829ce83a0e525 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Tue, 23 Sep 2025 01:16:04 +0200 Subject: [PATCH 07/13] chore: docs and schema --- helm/defectdojo/README.md | 28 ++++++-- helm/defectdojo/values.schema.json | 104 ++++++++++++++++++++++++----- 2 files changed, 111 insertions(+), 21 deletions(-) diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index e9b0e85455d..a4c670e5731 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -525,10 +525,10 @@ A Helm chart for Kubernetes to install DefectDojo | admin.secretKey | string | `nil` | | | admin.user | string | `"admin"` | | | alternativeHosts | list | `[]` | | -| annotations | object | `{}` | | | celery.annotations | object | `{}` | | | celery.beat.affinity | object | `{}` | | | celery.beat.annotations | object | `{}` | | +| celery.beat.containerSecurityContext | object | `{}` | | | celery.beat.extraEnv | list | `[]` | | | celery.beat.extraInitContainers | list | `[]` | | | celery.beat.extraVolumeMounts | list | `[]` | | @@ -536,6 +536,7 @@ A Helm chart for Kubernetes to install DefectDojo | celery.beat.livenessProbe | object | `{}` | | | celery.beat.nodeSelector | object | `{}` | | | celery.beat.podAnnotations | object | `{}` | | +| celery.beat.podSecurityContext | object | `{}` | | | celery.beat.readinessProbe | object | `{}` | | | celery.beat.replicas | int | `1` | | | celery.beat.resources.limits.cpu | string | `"2000m"` | | @@ -549,6 +550,7 @@ A Helm chart for Kubernetes to install DefectDojo | celery.worker.affinity | object | `{}` | | | celery.worker.annotations | object | `{}` | | | celery.worker.appSettings.poolType | string | `"solo"` | | +| celery.worker.containerSecurityContext | object | `{}` | | | celery.worker.extraEnv | list | `[]` | | | celery.worker.extraInitContainers | list | `[]` | | | celery.worker.extraVolumeMounts | list | `[]` | | @@ -556,6 +558,7 @@ A Helm chart for Kubernetes to install DefectDojo | celery.worker.livenessProbe | object | `{}` | | | celery.worker.nodeSelector | object | `{}` | | | celery.worker.podAnnotations | object | `{}` | | +| celery.worker.podSecurityContext | object | `{}` | | | celery.worker.readinessProbe | object | `{}` | | | celery.worker.replicas | int | `1` | | | celery.worker.resources.limits.cpu | string | `"2000m"` | | @@ -564,8 +567,11 @@ A Helm chart for Kubernetes to install DefectDojo | celery.worker.resources.requests.memory | string | `"128Mi"` | | | celery.worker.startupProbe | object | `{}` | | | celery.worker.tolerations | list | `[]` | | +| cloudsql.containerSecurityContext | string | `nil` | | | cloudsql.enable_iam_login | bool | `false` | | | cloudsql.enabled | bool | `false` | | +| cloudsql.extraEnv | list | `[]` | | +| cloudsql.extraVolumeMounts | list | `[]` | | | cloudsql.image.pullPolicy | string | `"IfNotPresent"` | | | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` | | | cloudsql.image.tag | string | `"1.37.9"` | | @@ -576,7 +582,10 @@ A Helm chart for Kubernetes to install DefectDojo | createPostgresqlSecret | bool | `false` | | | createRedisSecret | bool | `false` | | | createSecret | bool | `false` | | +| dbMigrationChecker.containerSecurityContext | object | `{}` | | | dbMigrationChecker.enabled | bool | `true` | | +| dbMigrationChecker.extraEnv | list | `[]` | | +| dbMigrationChecker.extraVolumeMounts | list | `[]` | | | dbMigrationChecker.resources.limits.cpu | string | `"200m"` | | | dbMigrationChecker.resources.limits.memory | string | `"200Mi"` | | | dbMigrationChecker.resources.requests.cpu | string | `"100m"` | | @@ -602,6 +611,7 @@ A Helm chart for Kubernetes to install DefectDojo | django.mediaPersistentVolume.persistentVolumeClaim.size | string | `"5Gi"` | | | django.mediaPersistentVolume.persistentVolumeClaim.storageClassName | string | `nil` | | | django.mediaPersistentVolume.type | string | `"emptyDir"` | | +| django.nginx.containerSecurityContext.runAsUser | int | `1001` | | | django.nginx.extraEnv | list | `[]` | | | django.nginx.extraVolumeMounts | list | `[]` | | | django.nginx.resources.limits.cpu | string | `"2000m"` | | @@ -611,6 +621,7 @@ A Helm chart for Kubernetes to install DefectDojo | django.nginx.tls.enabled | bool | `false` | | | django.nginx.tls.generateCertificate | bool | `false` | | | django.nodeSelector | object | `{}` | | +| django.podSecurityContext.fsGroup | int | `1001` | | | django.replicas | int | `1` | | | django.service.annotations | object | `{}` | | | django.service.type | string | `""` | | @@ -622,6 +633,7 @@ A Helm chart for Kubernetes to install DefectDojo | django.uwsgi.certificates.certMountPath | string | `"/certs/"` | | | django.uwsgi.certificates.configName | string | `"defectdojo-ca-certs"` | | | django.uwsgi.certificates.enabled | bool | `false` | | +| django.uwsgi.containerSecurityContext.runAsUser | int | `1001` | | | django.uwsgi.enableDebug | bool | `false` | | | django.uwsgi.extraEnv | list | `[]` | | | django.uwsgi.extraVolumeMounts | list | `[]` | | @@ -647,8 +659,11 @@ A Helm chart for Kubernetes to install DefectDojo | django.uwsgi.startupProbe.periodSeconds | int | `5` | | | django.uwsgi.startupProbe.successThreshold | int | `1` | | | django.uwsgi.startupProbe.timeoutSeconds | int | `1` | | +| extraAnnotations | object | `{}` | | | extraConfigs | object | `{}` | | +| extraEnv | list | `[]` | | | extraLabels | object | `{}` | | +| extraSecrets | object | `{}` | | | gke.useGKEIngress | bool | `false` | | | gke.useManagedCertificate | bool | `false` | | | gke.workloadIdentityEmail | string | `""` | | @@ -657,6 +672,7 @@ A Helm chart for Kubernetes to install DefectDojo | imagePullSecrets | string | `nil` | | | initializer.affinity | object | `{}` | | | initializer.annotations | object | `{}` | | +| initializer.containerSecurityContext | object | `{}` | | | initializer.extraEnv | list | `[]` | | | initializer.extraVolumeMounts | list | `[]` | | | initializer.extraVolumes | list | `[]` | | @@ -664,16 +680,20 @@ A Helm chart for Kubernetes to install DefectDojo | initializer.keepSeconds | int | `60` | | | initializer.labels | object | `{}` | | | initializer.nodeSelector | object | `{}` | | +| initializer.podSecurityContext | object | `{}` | | | initializer.resources.limits.cpu | string | `"2000m"` | | | initializer.resources.limits.memory | string | `"512Mi"` | | | initializer.resources.requests.cpu | string | `"100m"` | | | initializer.resources.requests.memory | string | `"256Mi"` | | | initializer.run | bool | `true` | | -| initializer.securityContext.runAsNonRoot | bool | `true` | | | initializer.staticName | bool | `false` | | | initializer.tolerations | list | `[]` | | +| localsettingspy | string | `""` | | | monitoring.enabled | bool | `false` | | +| monitoring.prometheus.containerSecurityContext | object | `{}` | | | monitoring.prometheus.enabled | bool | `false` | | +| monitoring.prometheus.extraEnv | list | `[]` | | +| monitoring.prometheus.extraVolumeMounts | list | `[]` | | | monitoring.prometheus.image | string | `"nginx/nginx-prometheus-exporter:1.4.2"` | | | monitoring.prometheus.imagePullPolicy | string | `"IfNotPresent"` | | | monitoring.prometheus.resources | object | `{}` | | @@ -717,9 +737,9 @@ A Helm chart for Kubernetes to install DefectDojo | repositoryPrefix | string | `"defectdojo"` | | | revisionHistoryLimit | int | `10` | | | secrets.annotations | object | `{}` | | -| securityContext.djangoSecurityContext.runAsUser | int | `1001` | | +| securityContext.containerSecurityContext.runAsNonRoot | bool | `true` | | | securityContext.enabled | bool | `true` | | -| securityContext.nginxSecurityContext.runAsUser | int | `1001` | | +| securityContext.podSecurityContext.runAsNonRoot | bool | `true` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.labels | object | `{}` | | diff --git a/helm/defectdojo/values.schema.json b/helm/defectdojo/values.schema.json index 8ad2ae71e64..be0ec703d50 100644 --- a/helm/defectdojo/values.schema.json +++ b/helm/defectdojo/values.schema.json @@ -34,9 +34,6 @@ "alternativeHosts": { "type": "array" }, - "annotations": { - "type": "object" - }, "celery": { "type": "object", "properties": { @@ -52,6 +49,9 @@ "annotations": { "type": "object" }, + "containerSecurityContext": { + "type": "object" + }, "extraEnv": { "type": "array" }, @@ -73,6 +73,9 @@ "podAnnotations": { "type": "object" }, + "podSecurityContext": { + "type": "object" + }, "readinessProbe": { "type": "object" }, @@ -137,6 +140,9 @@ } } }, + "containerSecurityContext": { + "type": "object" + }, "extraEnv": { "type": "array" }, @@ -158,6 +164,9 @@ "podAnnotations": { "type": "object" }, + "podSecurityContext": { + "type": "object" + }, "readinessProbe": { "type": "object" }, @@ -204,12 +213,21 @@ "cloudsql": { "type": "object", "properties": { + "containerSecurityContext": { + "type": "null" + }, "enable_iam_login": { "type": "boolean" }, "enabled": { "type": "boolean" }, + "extraEnv": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, "image": { "type": "object", "properties": { @@ -250,9 +268,18 @@ "dbMigrationChecker": { "type": "object", "properties": { + "containerSecurityContext": { + "type": "object" + }, "enabled": { "type": "boolean" }, + "extraEnv": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, "resources": { "type": "object", "properties": { @@ -369,6 +396,14 @@ "nginx": { "type": "object", "properties": { + "containerSecurityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + } + } + }, "extraEnv": { "type": "array" }, @@ -418,6 +453,14 @@ "nodeSelector": { "type": "object" }, + "podSecurityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + } + } + }, "replicas": { "type": "integer" }, @@ -469,6 +512,14 @@ } } }, + "containerSecurityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + } + } + }, "enableDebug": { "type": "boolean" }, @@ -578,12 +629,21 @@ } } }, + "extraAnnotations": { + "type": "object" + }, "extraConfigs": { "type": "object" }, + "extraEnv": { + "type": "array" + }, "extraLabels": { "type": "object" }, + "extraSecrets": { + "type": "object" + }, "gke": { "type": "object", "properties": { @@ -619,6 +679,9 @@ "annotations": { "type": "object" }, + "containerSecurityContext": { + "type": "object" + }, "extraEnv": { "type": "array" }, @@ -640,6 +703,9 @@ "nodeSelector": { "type": "object" }, + "podSecurityContext": { + "type": "object" + }, "resources": { "type": "object", "properties": { @@ -670,14 +736,6 @@ "run": { "type": "boolean" }, - "securityContext": { - "type": "object", - "properties": { - "runAsNonRoot": { - "type": "boolean" - } - } - }, "staticName": { "type": "boolean" }, @@ -686,6 +744,9 @@ } } }, + "localsettingspy": { + "type": "string" + }, "monitoring": { "type": "object", "properties": { @@ -695,9 +756,18 @@ "prometheus": { "type": "object", "properties": { + "containerSecurityContext": { + "type": "object" + }, "enabled": { "type": "boolean" }, + "extraEnv": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, "image": { "type": "string" }, @@ -935,22 +1005,22 @@ "securityContext": { "type": "object", "properties": { - "djangoSecurityContext": { + "containerSecurityContext": { "type": "object", "properties": { - "runAsUser": { - "type": "integer" + "runAsNonRoot": { + "type": "boolean" } } }, "enabled": { "type": "boolean" }, - "nginxSecurityContext": { + "podSecurityContext": { "type": "object", "properties": { - "runAsUser": { - "type": "integer" + "runAsNonRoot": { + "type": "boolean" } } } From 3a95c9ca61f7c745339389051579151058770a65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Tue, 23 Sep 2025 01:18:28 +0200 Subject: [PATCH 08/13] fix: lint --- helm/defectdojo/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index adca57b42ec..58fe87dbe7f 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -492,7 +492,6 @@ cloudsql: use_private_ip: false # Optional: security context for the CloudSQL proxy container. containerSecurityContext: - # Additional environment variables for the CloudSQL proxy container. extraEnv: [] # Array of additional volume mount points for the CloudSQL proxy container From 00ff4d63edc93dac2e2cfaf8d5d5f86f1acf5d00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Wed, 1 Oct 2025 21:41:30 +0200 Subject: [PATCH 09/13] chore: sort helper --- helm/defectdojo/templates/_helpers.tpl | 20 +++++++++---------- .../templates/celery-beat-deployment.yaml | 6 +++--- .../templates/celery-worker-deployment.yaml | 6 +++--- .../templates/django-deployment.yaml | 10 +++++----- .../defectdojo/templates/initializer-job.yaml | 8 ++++---- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index dd2e9549b7e..43f97e5a044 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -147,8 +147,8 @@ securityContext: {{- include "helpers.securityContext" (list .Values - "dbMigrationChecker.containerSecurityContext" "securityContext.containerSecurityContext" + "dbMigrationChecker.containerSecurityContext" ) | nindent 4 }} {{- end }} envFrom: @@ -185,8 +185,8 @@ Returns the JSON representation of the value for a dot-notation path from a given context. Args: - 1: context (e.g., .Values) - 2: path (e.g., "foo.bar") + 0: context (e.g., .Values) + 1: path (e.g., "foo.bar") */}} {{- define "helpers.getValue" -}} {{- $ctx := merge dict (index . 0) -}} @@ -208,20 +208,20 @@ from a given context. {{- /* Build the security context. Args: - 1: values context (.Values) - 2: the key under the context (e.g., "foo.bar") - 3: the security context key (e.g. "securityContext.containerSecurityContext") + 0: values context (.Values) + 1: the default security context key (e.g. "securityContext.containerSecurityContext") + 2: the key under the context with security context (e.g., "foo.bar") */}} {{- define "helpers.securityContext" -}} {{- $securityContext := dict -}} {{- $values := merge dict (index . 0) -}} -{{- $path := index . 1 -}} -{{- $sctx := index . 2 -}} +{{- $defaultSecurityContextKey := merge dict (index . 1) -}} +{{- $securityContextKey := merge dict (index . 2) -}} {{- with $values }} {{- $securityContext = (merge $securityContext - (include "helpers.getValue" (list $values $sctx) | fromJson) - (include "helpers.getValue" (list $values $path) | fromJson) + (include "helpers.getValue" (list $values $defaultSecurityContextKey) | fromJson) + (include "helpers.getValue" (list $values $securityContextKey) | fromJson) ) -}} {{- end -}} {{- with $securityContext -}} diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index 7e1c505bab3..8a80d0ffec7 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -55,8 +55,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "celery.beat.podSecurityContext" "securityContext.podSecurityContext" + "celery.beat.podSecurityContext" ) | nindent 8 }} {{- end }} serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} @@ -98,8 +98,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "cloudsql.containerSecurityContext" "securityContext.containerSecurityContext" + "cloudsql.containerSecurityContext" ) | nindent 10 }} {{- end }} command: ["/cloud_sql_proxy"] @@ -137,8 +137,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "celery.beat.containerSecurityContext" "securityContext.containerSecurityContext" + "celery.beat.containerSecurityContext" ) | nindent 10 }} {{- end }} volumeMounts: diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index 30de8474666..fe2e0f08c6f 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -55,8 +55,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "celery.worker.podSecurityContext" "securityContext.podSecurityContext" + "celery.worker.podSecurityContext" ) | nindent 8 }} {{- end }} serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} @@ -96,8 +96,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "cloudsql.containerSecurityContext" "securityContext.containerSecurityContext" + "cloudsql.containerSecurityContext" ) | nindent 10 }} {{- end }} command: ["/cloud_sql_proxy"] @@ -133,8 +133,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "celery.worker.containerSecurityContext" "securityContext.containerSecurityContext" + "celery.worker.containerSecurityContext" ) | nindent 10 }} {{- end }} command: ['/entrypoint-celery-worker.sh'] diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index 22d518ae200..16738a91b41 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -68,8 +68,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "django.podSecurityContext" "securityContext.podSecurityContext" + "django.podSecurityContext" ) | nindent 8 }} {{- end }} {{- end }} @@ -118,8 +118,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "cloudsql.containerSecurityContext" "securityContext.containerSecurityContext" + "cloudsql.containerSecurityContext" ) | nindent 10 }} {{- end }} command: ["/cloud_sql_proxy"] @@ -172,8 +172,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "monitoring.prometheus.containerSecurityContext" "securityContext.containerSecurityContext" + "monitoring.prometheus.containerSecurityContext" ) | nindent 10 }} {{- end }} {{- with .Values.monitoring.prometheus.extraVolumeMounts }} @@ -187,8 +187,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "django.uwsgi.containerSecurityContext" "securityContext.containerSecurityContext" + "django.uwsgi.containerSecurityContext" ) | nindent 10 }} {{- end }} volumeMounts: @@ -289,8 +289,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "django.nginx.containerSecurityContext" "securityContext.containerSecurityContext" + "django.nginx.containerSecurityContext" ) | nindent 10 }} {{- end }} volumeMounts: diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index 8f360d6f43e..795427b34f1 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -45,8 +45,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "initializer.podSecurityContext" "securityContext.podSecurityContext" + "initializer.podSecurityContext" ) | nindent 8 }} {{- end }} serviceAccountName: {{ include "defectdojo.serviceAccountName" . }} @@ -85,8 +85,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "cloudsql.containerSecurityContext" "securityContext.containerSecurityContext" + "cloudsql.containerSecurityContext" ) | nindent 10 }} {{- end }} command: ["/cloud_sql_proxy"] @@ -118,8 +118,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "django.uwsgi.containerSecurityContext" "securityContext.containerSecurityContext" + "django.uwsgi.containerSecurityContext" ) | nindent 10 }} {{- end }} envFrom: @@ -149,8 +149,8 @@ spec: securityContext: {{- include "helpers.securityContext" (list .Values - "initializer.containerSecurityContext" "securityContext.containerSecurityContext" + "initializer.containerSecurityContext" ) | nindent 10 }} {{- end }} volumeMounts: From 1e5c1eedf7e1ce9a080981b71172557655fdc376 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Wed, 1 Oct 2025 22:05:58 +0200 Subject: [PATCH 10/13] fix: lint and add changes to release notes --- docs/content/en/open_source/upgrading/2.51.md | 13 +++++++++++++ helm/defectdojo/templates/_helpers.tpl | 6 +++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/docs/content/en/open_source/upgrading/2.51.md b/docs/content/en/open_source/upgrading/2.51.md index 973234698d6..2130d7e5a48 100644 --- a/docs/content/en/open_source/upgrading/2.51.md +++ b/docs/content/en/open_source/upgrading/2.51.md @@ -18,6 +18,16 @@ This release introduces several important changes to the Helm chart configuratio > The previous volume implementation prevented mounting projected volumes (such as secret mounts with renamed key names) and per-container volume mounts (like nginx emptyDir when readOnlyRootFs is enforced). > The new approach resolves these limitations. +#### Security context + +This Helm chart extends security context capabilities to all deployed pods and containers. +You can define a default pod and container security context globally using `securityContext.podSecurityContext` and `securityContext.containerSecurityContext` keys. +Additionally, each deployment can specify its own pod and container security contexts, which will override or merge with the global ones. + +#### Fine-grained resources + +Now each container can specify the resource requests and limits. + #### Moved values The following Helm chart values have been modified in this release: @@ -27,6 +37,8 @@ The following Helm chart values have been modified in this release: - `redis.redisServer` → `redisServer` (prevents potential schema conflicts with upstream chart) - `redis.transportEncryption.params` → `redisParams` (prevents potential schema conflicts with upstream chart) - `postgresql.postgresServer` → `postgresServer` (prevents potential schema conflicts with upstream chart) +- `securityContext.djangoSecurityContext` → deprecated in favor of container-specific security contexts (`celery.beat.containerSecurityContext`, `celery.worker.containerSecurityContext`, `django.uwsgi.containerSecurityContext` and `dbMigrationChecker.containerSecurityContext`) +- `securityContext.nginxSecurityContext` → deprecated in favor of container-specific security contexts (`django.nginx.containerSecurityContext`) ### New features @@ -43,6 +55,7 @@ The following Helm chart values have been modified in this release: - **Optional secret references**: Some secret references are now optional, allowing the chart to function even when certain secrets are not created. - **Fixed secret mounting**: Resolved issues with optional secret mounts and references. - **Improved code organization**: Minor Helm chart refactoring to enhance readability and maintainability. +- **Extra anotations**: Now we can add common annotations to all resources. ## PostgreSQL Major Version Upgrade in Docker Compose diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index 43f97e5a044..c4b6f130ab0 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -213,10 +213,10 @@ from a given context. 2: the key under the context with security context (e.g., "foo.bar") */}} {{- define "helpers.securityContext" -}} -{{- $securityContext := dict -}} {{- $values := merge dict (index . 0) -}} -{{- $defaultSecurityContextKey := merge dict (index . 1) -}} -{{- $securityContextKey := merge dict (index . 2) -}} +{{- $defaultSecurityContextKey := index . 1 -}} +{{- $securityContextKey := index . 2 -}} +{{- $securityContext := dict -}} {{- with $values }} {{- $securityContext = (merge $securityContext From 4b6619149e4da7bd8147cd17726d942464aacf77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Thu, 2 Oct 2025 10:40:26 +0200 Subject: [PATCH 11/13] chore: trigger CI From 56c8467c05fffbcaf277232f1f44933390f1ea06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Tue, 7 Oct 2025 12:44:10 +0200 Subject: [PATCH 12/13] chore: move to 2.52, fix pending issues --- docs/content/en/open_source/upgrading/2.51.md | 13 -------- docs/content/en/open_source/upgrading/2.52.md | 32 +++++++++++++++++-- helm/defectdojo/values.yaml | 6 ++-- 3 files changed, 33 insertions(+), 18 deletions(-) diff --git a/docs/content/en/open_source/upgrading/2.51.md b/docs/content/en/open_source/upgrading/2.51.md index c1bad1756e7..e3cf71186cc 100644 --- a/docs/content/en/open_source/upgrading/2.51.md +++ b/docs/content/en/open_source/upgrading/2.51.md @@ -30,16 +30,6 @@ This release introduces several important changes to the Helm chart configuratio > The previous volume implementation prevented mounting projected volumes (such as secret mounts with renamed key names) and per-container volume mounts (like nginx emptyDir when readOnlyRootFs is enforced). > The new approach resolves these limitations. -#### Security context - -This Helm chart extends security context capabilities to all deployed pods and containers. -You can define a default pod and container security context globally using `securityContext.podSecurityContext` and `securityContext.containerSecurityContext` keys. -Additionally, each deployment can specify its own pod and container security contexts, which will override or merge with the global ones. - -#### Fine-grained resources - -Now each container can specify the resource requests and limits. - #### Moved values The following Helm chart values have been modified in this release: @@ -49,8 +39,6 @@ The following Helm chart values have been modified in this release: - `redis.redisServer` → `redisServer` (prevents potential schema conflicts with upstream chart) - `redis.transportEncryption.params` → `redisParams` (prevents potential schema conflicts with upstream chart) - `postgresql.postgresServer` → `postgresServer` (prevents potential schema conflicts with upstream chart) -- `securityContext.djangoSecurityContext` → deprecated in favor of container-specific security contexts (`celery.beat.containerSecurityContext`, `celery.worker.containerSecurityContext`, `django.uwsgi.containerSecurityContext` and `dbMigrationChecker.containerSecurityContext`) -- `securityContext.nginxSecurityContext` → deprecated in favor of container-specific security contexts (`django.nginx.containerSecurityContext`) ### New features @@ -67,7 +55,6 @@ The following Helm chart values have been modified in this release: - **Optional secret references**: Some secret references are now optional, allowing the chart to function even when certain secrets are not created. - **Fixed secret mounting**: Resolved issues with optional secret mounts and references. - **Improved code organization**: Minor Helm chart refactoring to enhance readability and maintainability. -- **Extra anotations**: Now we can add common annotations to all resources. ## PostgreSQL Major Version Upgrade in Docker Compose diff --git a/docs/content/en/open_source/upgrading/2.52.md b/docs/content/en/open_source/upgrading/2.52.md index 2cc20c6b446..b15986e5228 100644 --- a/docs/content/en/open_source/upgrading/2.52.md +++ b/docs/content/en/open_source/upgrading/2.52.md @@ -2,6 +2,34 @@ title: 'Upgrading to DefectDojo Version 2.52.x' toc_hide: true weight: -20251006 -description: No special instructions. +description: Helm chart changes. --- -There are no special instructions for upgrading to 2.52.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.52.0) for the contents of the release. + +## Helm Chart Changes + +This release introduces more important changes to the Helm chart configuration: + +### Breaking changes + +#### Security context + +This Helm chart extends security context capabilities to all deployed pods and containers. +You can define a default pod and container security context globally using `securityContext.podSecurityContext` and `securityContext.containerSecurityContext` keys. +Additionally, each deployment can specify its own pod and container security contexts, which will override or merge with the global ones. + +#### Fine-grained resources + +Now each container can specify the resource requests and limits. + +#### Moved values + +The following Helm chart values have been modified in this release: + +- `securityContext.djangoSecurityContext` → deprecated in favor of container-specific security contexts (`celery.beat.containerSecurityContext`, `celery.worker.containerSecurityContext`, `django.uwsgi.containerSecurityContext` and `dbMigrationChecker.containerSecurityContext`) +- `securityContext.nginxSecurityContext` → deprecated in favor of container-specific security contexts (`django.nginx.containerSecurityContext`) + +### Other changes + +- **Extra annotations**: Now we can add common annotations to all resources. + +There are other instructions for upgrading to 2.52.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.52.0) for the contents of the release. diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 1b5f8fceea4..bba288d5dbf 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -285,7 +285,7 @@ django: # nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" nginx: # Container security context for the nginx containers. - containerSecurityContext: &nginxSecurityContext + containerSecurityContext: # nginx dockerfile sets USER=1001 runAsUser: 1001 # To extra environment variables to the nginx container, you can use extraEnv. For example: @@ -313,7 +313,7 @@ django: strategy: {} tolerations: [] uwsgi: - containerSecurityContext: &djangoSecurityContext + containerSecurityContext: # django dockerfile sets USER=1001 runAsUser: 1001 # To add (or override) extra variables which need to be pulled from another configMap, you can @@ -491,7 +491,7 @@ cloudsql: # whether to use a private IP to connect to the database use_private_ip: false # Optional: security context for the CloudSQL proxy container. - containerSecurityContext: + containerSecurityContext: {} # Additional environment variables for the CloudSQL proxy container. extraEnv: [] # Array of additional volume mount points for the CloudSQL proxy container From 73aa3c42d15b1bdd861d007b2fa84d8085779755 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Fern=C3=A1ndez?= <7312236+fernandezcuesta@users.noreply.github.com> Date: Tue, 7 Oct 2025 13:08:03 +0200 Subject: [PATCH 13/13] chore: docs --- helm/defectdojo/README.md | 2 +- helm/defectdojo/values.schema.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 13eb1f0ec03..fac1345d8c2 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -567,7 +567,7 @@ A Helm chart for Kubernetes to install DefectDojo | celery.worker.resources.requests.memory | string | `"128Mi"` | | | celery.worker.startupProbe | object | `{}` | | | celery.worker.tolerations | list | `[]` | | -| cloudsql.containerSecurityContext | string | `nil` | | +| cloudsql.containerSecurityContext | object | `{}` | | | cloudsql.enable_iam_login | bool | `false` | | | cloudsql.enabled | bool | `false` | | | cloudsql.extraEnv | list | `[]` | | diff --git a/helm/defectdojo/values.schema.json b/helm/defectdojo/values.schema.json index 64cc9be7bb5..74e14508d13 100644 --- a/helm/defectdojo/values.schema.json +++ b/helm/defectdojo/values.schema.json @@ -214,7 +214,7 @@ "type": "object", "properties": { "containerSecurityContext": { - "type": "null" + "type": "object" }, "enable_iam_login": { "type": "boolean"