fix: add missing resources, securityContext and env entries

docs/content/en/open_source/upgrading/2.51.md

@@ -18,6 +18,16 @@ This release introduces several important changes to the Helm chart configuratio
 > The previous volume implementation prevented mounting projected volumes (such as secret mounts with renamed key names) and per-container volume mounts (like nginx emptyDir when readOnlyRootFs is enforced).
 > The new approach resolves these limitations.
 
+#### Security context
+
+This Helm chart extends security context capabilities to all deployed pods and containers.
+You can define a default pod and container security context globally using `securityContext.podSecurityContext` and `securityContext.containerSecurityContext` keys.
+Additionally, each deployment can specify its own pod and container security contexts, which will override or merge with the global ones. 
+
+#### Fine-grained resources
+
+Now each container can specify the resource requests and limits.
+
 #### Moved values
 
 The following Helm chart values have been modified in this release:
@@ -27,6 +37,8 @@ The following Helm chart values have been modified in this release:
 - `redis.redisServer` → `redisServer` (prevents potential schema conflicts with upstream chart)
 - `redis.transportEncryption.params` → `redisParams` (prevents potential schema conflicts with upstream chart)
 - `postgresql.postgresServer` → `postgresServer` (prevents potential schema conflicts with upstream chart)
+- `securityContext.djangoSecurityContext` → deprecated in favor of container-specific security contexts (`celery.beat.containerSecurityContext`, `celery.worker.containerSecurityContext`, `django.uwsgi.containerSecurityContext` and `dbMigrationChecker.containerSecurityContext`)
+- `securityContext.nginxSecurityContext` → deprecated in favor of container-specific security contexts (`django.nginx.containerSecurityContext`)
 
 ### New features
 
@@ -43,6 +55,7 @@ The following Helm chart values have been modified in this release:
 - **Optional secret references**: Some secret references are now optional, allowing the chart to function even when certain secrets are not created.
 - **Fixed secret mounting**: Resolved issues with optional secret mounts and references.
 - **Improved code organization**: Minor Helm chart refactoring to enhance readability and maintainability.
+- **Extra anotations**: Now we can add common annotations to all resources.
 
 ## PostgreSQL Major Version Upgrade in Docker Compose
 

helm/defectdojo/README.md

@@ -524,17 +524,19 @@ A Helm chart for Kubernetes to install DefectDojo
 | admin.password | string | `""` |  |
 | admin.secretKey | string | `""` |  |
 | admin.user | string | `"admin"` |  |
-| annotations | object | `{}` |  |
+| alternativeHosts | list | `[]` |  |
 | celery.annotations | object | `{}` |  |
 | celery.beat.affinity | object | `{}` |  |
 | celery.beat.annotations | object | `{}` |  |
+| celery.beat.containerSecurityContext | object | `{}` |  |
 | celery.beat.extraEnv | list | `[]` |  |
 | celery.beat.extraInitContainers | list | `[]` |  |
 | celery.beat.extraVolumeMounts | list | `[]` |  |
 | celery.beat.extraVolumes | list | `[]` |  |
 | celery.beat.livenessProbe | object | `{}` |  |
 | celery.beat.nodeSelector | object | `{}` |  |
 | celery.beat.podAnnotations | object | `{}` |  |
+| celery.beat.podSecurityContext | object | `{}` |  |
 | celery.beat.readinessProbe | object | `{}` |  |
 | celery.beat.replicas | int | `1` |  |
 | celery.beat.resources.limits.cpu | string | `"2000m"` |  |
@@ -548,13 +550,15 @@ A Helm chart for Kubernetes to install DefectDojo
 | celery.worker.affinity | object | `{}` |  |
 | celery.worker.annotations | object | `{}` |  |
 | celery.worker.appSettings.poolType | string | `"solo"` |  |
+| celery.worker.containerSecurityContext | object | `{}` |  |
 | celery.worker.extraEnv | list | `[]` |  |
 | celery.worker.extraInitContainers | list | `[]` |  |
 | celery.worker.extraVolumeMounts | list | `[]` |  |
 | celery.worker.extraVolumes | list | `[]` |  |
 | celery.worker.livenessProbe | object | `{}` |  |
 | celery.worker.nodeSelector | object | `{}` |  |
 | celery.worker.podAnnotations | object | `{}` |  |
+| celery.worker.podSecurityContext | object | `{}` |  |
 | celery.worker.readinessProbe | object | `{}` |  |
 | celery.worker.replicas | int | `1` |  |
 | celery.worker.resources.limits.cpu | string | `"2000m"` |  |
@@ -563,26 +567,35 @@ A Helm chart for Kubernetes to install DefectDojo
 | celery.worker.resources.requests.memory | string | `"128Mi"` |  |
 | celery.worker.startupProbe | object | `{}` |  |
 | celery.worker.tolerations | list | `[]` |  |
+| cloudsql.containerSecurityContext | string | `nil` |  |
 | cloudsql.enable_iam_login | bool | `false` |  |
 | cloudsql.enabled | bool | `false` |  |
+| cloudsql.extraEnv | list | `[]` |  |
+| cloudsql.extraVolumeMounts | list | `[]` |  |
 | cloudsql.image.pullPolicy | string | `"IfNotPresent"` |  |
 | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` |  |
 | cloudsql.image.tag | string | `"1.37.9"` |  |
 | cloudsql.instance | string | `""` |  |
+| cloudsql.resources | object | `{}` |  |
 | cloudsql.use_private_ip | bool | `false` |  |
 | cloudsql.verbose | bool | `true` |  |
 | createPostgresqlSecret | bool | `false` |  |
 | createRedisSecret | bool | `false` |  |
 | createSecret | bool | `false` |  |
+| dbMigrationChecker.containerSecurityContext | object | `{}` |  |
 | dbMigrationChecker.enabled | bool | `true` |  |
+| dbMigrationChecker.extraEnv | list | `[]` |  |
+| dbMigrationChecker.extraVolumeMounts | list | `[]` |  |
 | dbMigrationChecker.resources.limits.cpu | string | `"200m"` |  |
 | dbMigrationChecker.resources.limits.memory | string | `"200Mi"` |  |
 | dbMigrationChecker.resources.requests.cpu | string | `"100m"` |  |
 | dbMigrationChecker.resources.requests.memory | string | `"100Mi"` |  |
 | disableHooks | bool | `false` |  |
 | django.affinity | object | `{}` |  |
 | django.annotations | object | `{}` |  |
+| django.extraEnv | list | `[]` |  |
 | django.extraInitContainers | list | `[]` |  |
+| django.extraVolumeMounts | list | `[]` |  |
 | django.extraVolumes | list | `[]` |  |
 | django.ingress.activateTLS | bool | `true` |  |
 | django.ingress.annotations | object | `{}` |  |
@@ -598,6 +611,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.mediaPersistentVolume.persistentVolumeClaim.size | string | `"5Gi"` |  |
 | django.mediaPersistentVolume.persistentVolumeClaim.storageClassName | string | `""` |  |
 | django.mediaPersistentVolume.type | string | `"emptyDir"` |  |
+| django.nginx.containerSecurityContext.runAsUser | int | `1001` |  |
 | django.nginx.extraEnv | list | `[]` |  |
 | django.nginx.extraVolumeMounts | list | `[]` |  |
 | django.nginx.resources.limits.cpu | string | `"2000m"` |  |
@@ -607,6 +621,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.nginx.tls.enabled | bool | `false` |  |
 | django.nginx.tls.generateCertificate | bool | `false` |  |
 | django.nodeSelector | object | `{}` |  |
+| django.podSecurityContext.fsGroup | int | `1001` |  |
 | django.replicas | int | `1` |  |
 | django.service.annotations | object | `{}` |  |
 | django.service.type | string | `""` |  |
@@ -619,6 +634,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.uwsgi.certificates.certMountPath | string | `"/certs/"` |  |
 | django.uwsgi.certificates.configName | string | `"defectdojo-ca-certs"` |  |
 | django.uwsgi.certificates.enabled | bool | `false` |  |
+| django.uwsgi.containerSecurityContext.runAsUser | int | `1001` |  |
 | django.uwsgi.enableDebug | bool | `false` |  |
 | django.uwsgi.extraEnv | list | `[]` |  |
 | django.uwsgi.extraVolumeMounts | list | `[]` |  |
@@ -644,6 +660,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.uwsgi.startupProbe.periodSeconds | int | `5` |  |
 | django.uwsgi.startupProbe.successThreshold | int | `1` |  |
 | django.uwsgi.startupProbe.timeoutSeconds | int | `1` |  |
+| extraAnnotations | object | `{}` |  |
 | extraConfigs | object | `{}` |  |
 | extraEnv | list | `[]` |  |
 | extraLabels | object | `{}` |  |
@@ -656,13 +673,15 @@ A Helm chart for Kubernetes to install DefectDojo
 | imagePullSecrets | string | `nil` |  |
 | initializer.affinity | object | `{}` |  |
 | initializer.annotations | object | `{}` |  |
+| initializer.containerSecurityContext | object | `{}` |  |
 | initializer.extraEnv | list | `[]` |  |
 | initializer.extraVolumeMounts | list | `[]` |  |
 | initializer.extraVolumes | list | `[]` |  |
 | initializer.jobAnnotations | object | `{}` |  |
 | initializer.keepSeconds | int | `60` |  |
 | initializer.labels | object | `{}` |  |
 | initializer.nodeSelector | object | `{}` |  |
+| initializer.podSecurityContext | object | `{}` |  |
 | initializer.resources.limits.cpu | string | `"2000m"` |  |
 | initializer.resources.limits.memory | string | `"512Mi"` |  |
 | initializer.resources.requests.cpu | string | `"100m"` |  |
@@ -672,9 +691,13 @@ A Helm chart for Kubernetes to install DefectDojo
 | initializer.tolerations | list | `[]` |  |
 | localsettingspy | string | `""` |  |
 | monitoring.enabled | bool | `false` |  |
+| monitoring.prometheus.containerSecurityContext | object | `{}` |  |
 | monitoring.prometheus.enabled | bool | `false` |  |
+| monitoring.prometheus.extraEnv | list | `[]` |  |
+| monitoring.prometheus.extraVolumeMounts | list | `[]` |  |
 | monitoring.prometheus.image | string | `"nginx/nginx-prometheus-exporter:1.4.2"` |  |
 | monitoring.prometheus.imagePullPolicy | string | `"IfNotPresent"` |  |
+| monitoring.prometheus.resources | object | `{}` |  |
 | networkPolicy.annotations | object | `{}` |  |
 | networkPolicy.egress | list | `[]` |  |
 | networkPolicy.enabled | bool | `false` |  |
@@ -715,12 +738,14 @@ A Helm chart for Kubernetes to install DefectDojo
 | repositoryPrefix | string | `"defectdojo"` |  |
 | revisionHistoryLimit | int | `10` |  |
 | secrets.annotations | object | `{}` |  |
-| securityContext.djangoSecurityContext.runAsUser | int | `1001` |  |
+| securityContext.containerSecurityContext.runAsNonRoot | bool | `true` |  |
 | securityContext.enabled | bool | `true` |  |
-| securityContext.nginxSecurityContext.runAsUser | int | `1001` |  |
+| securityContext.podSecurityContext.runAsNonRoot | bool | `true` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.labels | object | `{}` |  |
+| serviceAccount.name | string | `""` |  |
+| siteUrl | string | `""` |  |
 | tag | string | `"latest"` |  |
 | tests.unitTests.resources.limits.cpu | string | `"500m"` |  |
 | tests.unitTests.resources.limits.memory | string | `"512Mi"` |  |

helm/defectdojo/templates/_helpers.tpl

@@ -1,15 +1,15 @@
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
+{{- /* vim: set filetype=mustache: */}}
+{{- /*
+  Expand the name of the chart.
 */}}
 {{- define "defectdojo.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
+{{- /*
+  Create a default fully qualified app name.
+  We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+  If release name contains chart name it will be used as a full name.
 */}}
 {{- define "defectdojo.fullname" -}}
 {{- if .Values.fullnameOverride -}}
@@ -24,15 +24,15 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
-{{/*
-Create chart name and version as used by the chart label.
+{{- /*
+  Create chart name and version as used by the chart label.
 */}}
 {{- define "defectdojo.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{/*
-Create the name of the service account to use
+{{- /*
+  Create the name of the service account to use
 */}}
 {{- define "defectdojo.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create -}}
@@ -42,7 +42,7 @@ Create the name of the service account to use
 {{- end -}}
 {{- end -}}
 
-{{/*
+{{- /*
   Determine the hostname to use for PostgreSQL/Redis.
 */}}
 {{- define "postgresql.hostname" -}}
@@ -67,7 +67,7 @@ Create the name of the service account to use
 {{- end -}}
 {{- end -}}
 
-{{/*
+{{- /*
   Determine the protocol to use for Redis.
 */}}
 {{- define "redis.scheme" -}}
@@ -82,7 +82,7 @@ Create the name of the service account to use
 {{- end -}}
 {{- end -}}
 
-{{/*
+{{- /*
   Builds the repository names for use with local or private registries
 */}}
 {{- define "celery.repository" -}}
@@ -109,7 +109,7 @@ Create the name of the service account to use
 {{- end -}}
 {{- end -}}
 
-{{/*
+{{- /*
   Creates the array for DD_ALLOWED_HOSTS in configmap
 */}}
 {{- define "django.allowed_hosts" -}}
@@ -121,7 +121,7 @@ Create the name of the service account to use
 {{- end -}}
 {{- end -}}
 
-{{/*
+{{- /*
   Creates the persistentVolumeName
 */}}
 {{- define "django.pvc_name" -}}
@@ -132,7 +132,7 @@ Create the name of the service account to use
 {{- end -}}
 {{- end -}}
 
-{{/*
+{{- /*
   Define db-migration-checker
 */}}
 {{- define "dbMigrationChecker" -}}
@@ -145,7 +145,11 @@ Create the name of the service account to use
   imagePullPolicy: {{ .Values.imagePullPolicy }}
   {{- if .Values.securityContext.enabled }}
   securityContext:
-    {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 4 }}
+    {{- include "helpers.securityContext" (list
+    .Values
+    "securityContext.containerSecurityContext"
+    "dbMigrationChecker.containerSecurityContext"
+  ) | nindent 4 }}
   {{- end }}
   envFrom:
   - configMapRef:
@@ -163,9 +167,64 @@ Create the name of the service account to use
       secretKeyRef:
         name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }}
         key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
-  {{- if .Values.extraEnv }}
-  {{- toYaml .Values.extraEnv | nindent 2 }}
+  {{- with .Values.extraEnv }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with.Values.dbMigrationChecker.extraEnv }}
+    {{- toYaml . | nindent 2 }}
   {{- end }}
   resources:
     {{- toYaml .Values.dbMigrationChecker.resources | nindent 4 }}
+  {{- with .Values.dbMigrationChecker.extraVolumeMounts }}
+  volumeMounts:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
+{{- end -}}
+
+{{- /*
+Returns the JSON representation of the value for a dot-notation path
+from a given context.
+  Args:
+    0: context (e.g., .Values)
+    1: path (e.g., "foo.bar")
+*/}}
+{{- define "helpers.getValue" -}}
+  {{- $ctx := merge dict (index . 0) -}}
+  {{- $path := index . 1 -}}
+  {{- $parts := splitList "." $path -}}
+  {{- $value := $ctx -}}
+  {{- range $idx, $part := $parts -}}
+    {{- if kindIs "map" $value -}}
+      {{- $value = index $value $part -}}
+    {{- else -}}
+      {{- $value = "" -}}
+      {{- /* Exit early by setting to last iteration */}}
+      {{- $idx = sub (len $parts) 1 -}}
+    {{- end -}}
+  {{- end -}}
+  {{- toJson $value -}}
+{{- end -}}
+
+{{- /*
+  Build the security context.
+  Args:
+    0: values context (.Values)
+    1: the default security context key (e.g. "securityContext.containerSecurityContext")
+    2: the key under the context with security context (e.g., "foo.bar")
+*/}}
+{{- define "helpers.securityContext" -}}
+{{- $values := merge dict (index . 0) -}}
+{{- $defaultSecurityContextKey := index . 1 -}}
+{{- $securityContextKey := index . 2 -}}
+{{- $securityContext := dict -}}
+{{- with $values }}
+  {{- $securityContext = (merge
+    $securityContext
+    (include "helpers.getValue" (list $values $defaultSecurityContextKey) | fromJson)
+    (include "helpers.getValue" (list $values $securityContextKey) | fromJson)
+  ) -}}
+{{- end -}}
+{{- with $securityContext -}}
+{{- . | toYaml | nindent 2 -}}
+{{- end -}}
 {{- end -}}