From 67d92ae44026e9c6d363e2a577e5731661d03793 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Mon, 11 May 2026 15:04:22 +0000 Subject: [PATCH] Update to defectdojo-1.9.26. This addresses some of gtema's concerns: - We use valkey - Use post-bitnami charts Many settings that were overridden by gtema have been copied over, but that certainly needs more studying to work. So please consider the current state experimental. Signed-off-by: Kurt Garloff --- .../defectdojo/overlays/mgmt/helm-values.yaml | 742 ++++++++++++------ .../overlays/mgmt/kustomization.yaml | 4 +- 2 files changed, 500 insertions(+), 246 deletions(-) diff --git a/kubernetes/defectdojo/overlays/mgmt/helm-values.yaml b/kubernetes/defectdojo/overlays/mgmt/helm-values.yaml index 544aad6..c6d67ed 100644 --- a/kubernetes/defectdojo/overlays/mgmt/helm-values.yaml +++ b/kubernetes/defectdojo/overlays/mgmt/helm-values.yaml @@ -1,32 +1,85 @@ --- -# Global settings -# create defectdojo specific secret +# -- Security context settings +securityContext: + enabled: true + containerSecurityContext: + runAsNonRoot: true + podSecurityContext: + runAsNonRoot: true + +# -- create defectdojo specific secret createSecret: false -# create redis secret in defectdojo chart, outside of redis chart -createRedisSecret: false -# create postgresql secret in defectdojo chart, outside of postgresql chart +# -- create valkey secret in defectdojo chart, outside of valkey chart +createValkeySecret: false +# -- create postgresql secret in defectdojo chart, outside of postgresql chart createPostgresqlSecret: false -# create postgresql-ha secret in defectdojo chart, outside of postgresql-ha chart -createPostgresqlHaSecret: false -# create postgresql-ha-pgpool secret in defectdojo chart, outside of postgresql-ha chart -createPostgresqlHaPgpoolSecret: false -# Track configuration (trackConfig): will automatically respin application pods in case of config changes detection +# -- Track configuration (trackConfig): will automatically respin application pods in case of config changes detection # can be: -# - disabled, default -# - enabled, enables tracking configuration changes based on SHA256 -trackConfig: "enabled" +# 1. disabled (default) +# 2. enabled, enables tracking configuration changes based on SHA256 +trackConfig: enabled -# Enables application network policy +# -- Avoid using pre-install hooks, which might cause issues with ArgoCD +disableHooks: false + +# -- Annotations globally added to all resources +extraAnnotations: {} +# -- Labels globally added to all resources +extraLabels: {} + +images: + django: + image: + registry: "" + repository: defectdojo/defectdojo-django + # -- If empty, use appVersion. + # Another possible values are: latest, X.X.X, X.X.X-debian, X.X.X-alpine (where X.X.X is version of DD). + # For dev builds (only for testing purposes): nightly-dev, nightly-dev-debian, nightly-dev-alpine. + # To see all, check https://hub.docker.com/r/defectdojo/defectdojo-django/tags. + tag: "" + # -- Prefix "sha256:" is expected in this place + digest: "" + nginx: + image: + registry: "" + repository: defectdojo/defectdojo-nginx + # -- If empty, use appVersion. + # Another possible values are: latest, X.X.X, X.X.X-alpine (where X.X.X is version of DD). + # For dev builds (only for testing purposes): nightly-dev, nightly-dev-alpine. + # To see all, check https://hub.docker.com/r/defectdojo/defectdojo-nginx/tags. + tag: "" + # -- Prefix "sha256:" is expected in this place + digest: "" + +# -- Enables application network policy # For more info follow https://kubernetes.io/docs/concepts/services-networking/network-policies/ networkPolicy: enabled: false - # if additional labels need to be allowed (e.g. prometheus scraper) - ingressExtend: [] + # -- if additional labels need to be allowed (e.g. prometheus scraper) + # ``` # ingressExtend: # - podSelector: # matchLabels: # app.kubernetes.io/instance: defectdojo-prometheus - egress: [] + # ``` + ingressExtend: [] + # -- For more detailed configuration with ports and peers. It will ignore ingressExtend + # ``` + # ingress: + # - from: + # - podSelector: + # matchLabels: + # app.kubernetes.io/instance: defectdojo + # - podSelector: + # matchLabels: + # app.kubernetes.io/instance: defectdojo-prometheus + # ports: + # - protocol: TCP + # port: 8443 + # ``` + #ingress: [] + # -- + # ``` # egress: # - to: # - ipBlock: @@ -34,52 +87,78 @@ networkPolicy: # ports: # - protocol: TCP # port: 443 + # ``` + egress: [] + annotations: {} -# Configuration value to select database type -# Set the "enable" field to true of the database type you select (if you want to use internal database) and false of the one you don't select -database: "postgresql" - -# Primary hostname of instance +# -- Primary hostname of instance host: "defectdojo.infra.sovereignit.cloud" -# The full URL to your defectdojo instance, depends on the domain where DD is deployed, it also affects links in Jira -site_url: "https://defectdojo.infra.sovereignit.cloud" +# -- The full URL to your defectdojo instance, depends on the domain where DD is deployed, it also affects links in Jira. +# Use syntax: `siteUrl: 'https://'` +siteUrl: "https://defectdojo.infra.sovereignit.cloud" -# optional list of alternative hostnames to use that gets appended to +# -- optional list of alternative hostnames to use that gets appended to # DD_ALLOWED_HOSTS. This is necessary when your local hostname does not match # the global hostname. -# alternativeHosts: +alternativeHosts: [] # - defectdojo.example.com imagePullPolicy: Always -# Where to pull the defectDojo images from. Defaults to "defectdojo/*" repositories on hub.docker.com -repositoryPrefix: defectdojo -# When using a private registry, name of the secret that holds the registry secret (eg deploy token from gitlab-ci project) +# @schema type:[string, null] +# -- When using a private registry, name of the secret that holds the registry secret (eg deploy token from gitlab-ci project) # Create secrets as: kubectl create secret docker-registry defectdojoregistrykey --docker-username=registry_username --docker-password=registry_password --docker-server='https://index.docker.io/v1/' -# imagePullSecrets: defectdojoregistrykey -tag: 2.41.1 +imagePullSecrets: ~ -# Additional labels to add to the pods: +# -- Additional labels to add to the pods: +# ``` # podLabels: # key: value +# ``` podLabels: {} -# Allow overriding of revisionHistoryLimit across all deployments. -# revisionHistoryLimit: 10 +# -- Allow overriding of revisionHistoryLimit across all deployments. +revisionHistoryLimit: 10 -securityContext: - enabled: true - djangoSecurityContext: - # django dockerfile sets USER=1001 - runAsUser: 1001 - nginxSecurityContext: - # nginx dockerfile sets USER=1001 - runAsUser: 1001 +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + # -- Optional additional annotations to add to the DefectDojo's Service Account. + annotations: {} + + # -- Optional additional labels to add to the DefectDojo's Service Account. + labels: {} dbMigrationChecker: + # -- If empty, uses values from images.django.image + image: + registry: "" + repository: "" + tag: "" + digest: "" + # -- Enable/disable the DB migration checker. enabled: true + # -- Container security context for the DB migration checker. + containerSecurityContext: {} + # -- Additional environment variables for DB migration checker. + extraEnv: [] + # -- Array of additional volume mount points for DB migration checker. + extraVolumeMounts: [] + # -- Resource requests/limits for the DB migration checker. tests: unitTests: + # -- If empty, uses values from images.django.image + image: + registry: "" + repository: "" + tag: "" + digest: "" + automountServiceAccountToken: false resources: requests: cpu: 100m @@ -90,35 +169,86 @@ tests: admin: user: admin - password: + password: "" firstName: Administrator lastName: User mail: admin@defectdojo.local - secretKey: - credentialAes256Key: - metricsHttpAuthPassword: + secretKey: "" + credentialAes256Key: "" + metricsHttpAuthPassword: "" monitoring: enabled: false - # Add the nginx prometheus exporter sidecar prometheus: + # -- Add the nginx prometheus exporter sidecar enabled: false - image: nginx/nginx-prometheus-exporter:1.3.0 + image: + registry: "" + repository: nginx/nginx-prometheus-exporter + tag: "1.5.1" + digest: "" imagePullPolicy: IfNotPresent + # -- Optional: container security context for nginx prometheus exporter + containerSecurityContext: {} + # -- Optional: additional environment variables injected to the nginx prometheus exporter container + extraEnv: [] + # -- Array of additional volume mount points for the nginx prometheus exporter + extraVolumeMounts: [] + # -- Optional: add resource requests/limits for the nginx prometheus exporter container + resources: {} -annotations: {} +secrets: + # -- Add annotations for secret resources + annotations: {} # Components celery: - broker: redis - # To use an external celery broker, set the hostname here - brokerHost: "" logLevel: INFO - replicas: 2 + # -- Common annotations to worker and beat deployments and pods. + annotations: {} beat: + # -- If empty, uses values from images.django.image + image: + registry: "" + repository: "" + tag: "" + digest: "" + automountServiceAccountToken: false + # -- Annotations for the Celery beat deployment. annotations: {} affinity: {} + # -- Container security context for the Celery beat containers. + containerSecurityContext: {} + # -- Additional environment variables injected to Celery beat containers. + extraEnv: [] + # -- A list of additional initContainers to run before celery beat containers. + extraInitContainers: [] + # -- Array of additional volume mount points for the celery beat containers. + extraVolumeMounts: [] + # -- A list of extra volumes to mount + # @type: array + extraVolumes: [] + # -- Enable liveness probe for Celery beat container. + # ``` + # exec: + # command: + # - bash + # - -c + # - celery -A dojo inspect ping -t 5 + # initialDelaySeconds: 30 + # periodSeconds: 60 + # timeoutSeconds: 10 + # ``` + livenessProbe: {} nodeSelector: {} + # -- Annotations for the Celery beat pods. + podAnnotations: {} + # -- Pod security context for the Celery beat pods. + podSecurityContext: {} + # -- Enable readiness probe for Celery beat container. + readinessProbe: {} + # @schema maximum:1 + # -- Multiple replicas are not allowed (Beat is intended to be a singleton) because scaling to >1 will double-run schedules replicas: 1 resources: requests: @@ -127,11 +257,63 @@ celery: limits: cpu: 2000m memory: 256Mi + # -- Enable startup probe for Celery beat container. + startupProbe: {} tolerations: [] worker: + # -- If empty, uses values from images.django.image + image: + registry: "" + repository: "" + tag: "" + digest: "" + # -- Autoscaling configuration for Celery worker deployment. + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + behavior: {} + automountServiceAccountToken: false + # -- Annotations for the Celery worker deployment. annotations: {} affinity: {} + # -- Container security context for the Celery worker containers. + containerSecurityContext: {} + # -- Additional environment variables injected to Celery worker containers. + extraEnv: [] + # -- A list of additional initContainers to run before celery worker containers. + extraInitContainers: [] + # -- Array of additional volume mount points for the celery worker containers. + extraVolumeMounts: [] + # -- A list of extra volumes to mount. + # @type: array + extraVolumes: [] + # -- Enable liveness probe for Celery worker containers. + # ``` + # exec: + # command: + # - bash + # - -c + # - celery -A dojo inspect ping -t 5 + # initialDelaySeconds: 30 + # periodSeconds: 60 + # timeoutSeconds: 10 + # ``` + livenessProbe: {} nodeSelector: {} + # -- Annotations for the Celery worker pods. + podAnnotations: {} + # -- Configure pod disruption budgets for Celery worker ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget + podDisruptionBudget: + enabled: false + minAvailable: 50% + unhealthyPodEvictionPolicy: AlwaysAllow + # -- Pod security context for the Celery worker pods. + podSecurityContext: {} + # -- Enable readiness probe for Celery worker container. + readinessProbe: {} replicas: 1 resources: requests: @@ -140,60 +322,48 @@ celery: limits: cpu: 2000m memory: 512Mi + # -- Enable startup probe for Celery worker container. + startupProbe: {} + # -- Termination grace period seconds for Celery worker pods. + terminationGracePeriodSeconds: 300 tolerations: [] - app_settings: - pool_type: solo - # Performance improved celery worker config when needing to deal with a lot of findings (e.g deduplication ops) - # Comment out the "solo" line, and uncomment the following lines. + appSettings: + # -- Performance improved celery worker config when needing to deal with a lot of findings (e.g deduplication ops) # pool_type: prefork - # autoscale_min: 2 - # autoscale_max: 8 + # autoscaleMin: 2 + # autoscaleMax: 8 # concurrency: 8 # prefetch_multiplier: 128 - - # A list of extra volumes to mount. This - # is useful for bringing in extra data that can be referenced by other configurations - # at a well known path, such as local_settings. The - # value of this should be a list of objects. - # - # Example: - # - # ```yaml - # extraVolumes: - # - type: configMap - # name: local_settings - # path: /app/dojo/settings/local_settings.py - # subPath: local_settings.py - # - type: hostPath - # name: host_directory - # path: /tmp - # hostPath: /tmp - # ``` - # - # Each object supports the following keys: - # - # - `type` - Type of the volume, must be one of "configMap", "secret", "hostPath". Case sensitive. - # Even is supported we are highly recommending to avoid hostPath for security reasons (usually blocked by PSP) - # - `name` - Name of the configMap or secret to be mounted. This also controls - # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. - # - `path` - defines where file should be exposed - # - `subPath` - extracts only particular file from secret or configMap - # - `pathType` - only for hostPath, can be one of the "DirectoryOrCreate", "Directory" (default), "FileOrCreate", - # "File", "Socket", "CharDevice", "BlockDevice" - # - `hostPath` - only for hostPath, file or directory from local host - # @type: array - extraVolumes: [] + poolType: solo django: + # -- Autoscaling configuration for the Django deployment. + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + behavior: {} + automountServiceAccountToken: false annotations: {} service: annotations: {} + type: "" affinity: {} + # -- Pod security context for the Django pods. + podSecurityContext: + fsGroup: 1001 ingress: enabled: true ingressClassName: "nginx" activateTLS: true secretName: defectdojo-tls + # -- Restricts the type of ingress controller that can interact with our chart (nginx, traefik, ...) + # `kubernetes.io/ingress.class: nginx` + # Depending on the size and complexity of your scans, you might want to increase the default ingress timeouts if you see repeated 504 Gateway Timeouts + # `nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"` + # `nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"` annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/proxy-body-size: "50m" @@ -202,7 +372,28 @@ django: # Depending on the size and complexity of your scans, you might want to increase the default ingress timeouts if you see repeated 504 Gateway Timeouts # nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" # nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" + # annotations: {} nginx: + # -- If empty, uses values from images.nginx.image + image: + registry: "" + repository: "" + tag: "" + digest: "" + # -- Container security context for the nginx containers. + containerSecurityContext: + # -- nginx dockerfile sets USER=1001 + runAsUser: 1001 + # -- To extra environment variables to the nginx container, you can use extraEnv. For example: + # extraEnv: + # - name: FOO + # valueFrom: + # configMapKeyRef: + # name: foo + # key: bar + extraEnv: [] + # -- Array of additional volume mount points for nginx containers. + extraVolumeMounts: [] tls: enabled: false generateCertificate: false @@ -214,17 +405,61 @@ django: cpu: 2000m memory: 256Mi nodeSelector: {} - replicas: 2 + # -- Configure pod disruption budgets for django ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget + podDisruptionBudget: + enabled: false + minAvailable: 50% + unhealthyPodEvictionPolicy: AlwaysAllow + replicas: 1 + strategy: {} + # -- Termination grace period seconds for django pods. + terminationGracePeriodSeconds: 60 tolerations: [] uwsgi: + # -- If empty, uses values from images.django.image + image: + registry: "" + repository: "" + tag: "" + digest: "" + containerSecurityContext: + # -- django dockerfile sets USER=1001 + runAsUser: 1001 + # -- To add (or override) extra variables which need to be pulled from another configMap, you can + # use extraEnv. For example: + # extraEnv: + # - name: DD_DATABASE_HOST + # valueFrom: + # configMapKeyRef: + # name: my-other-postgres-configmap + # key: cluster_endpoint + extraEnv: [] + # -- Array of additional volume mount points for uwsgi containers. + extraVolumeMounts: [] livenessProbe: - # Enable liveness checks on uwsgi container. Those values are use on nginx readiness checks as well. + # -- Enable liveness checks on uwsgi container. enabled: true failureThreshold: 6 - initialDelaySeconds: 3 + initialDelaySeconds: 0 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 + readinessProbe: + # -- Enable readiness checks on uwsgi container. + enabled: true + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + startupProbe: + # -- Enable startup checks on uwsgi container. + enabled: true + failureThreshold: 30 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 resources: requests: cpu: 100m @@ -233,83 +468,68 @@ django: cpu: 2000m memory: 512Mi app_settings: - processes: 2 - threads: 2 - # max_fd: 102400 # Uncomment to set the maximum number of file descriptors. If not set will be detected by uwsgi - enable_debug: false # this also requires DD_DEBUG to be set to True + processes: 4 + threads: 4 + # -- Use this value to set the maximum number of file descriptors. If set to 0 will be detected by uwsgi + # e.g. 102400 + maxFd: 0 + # -- this also requires DD_DEBUG to be set to True + enablee_debug: false certificates: - # includes additional CA certificate as volume, it refrences REQUESTS_CA_BUNDLE env varible - # to create configMap `kubectl create cm defectdojo-ca-certs --from-file=ca.crt` + # -- includes additional CA certificate as volume, it refrences REQUESTS_CA_BUNDLE env varible + # to create configMap `kubectl create cm defectdojo-ca-certs --from-file=ca.crt` # NOTE: it reflects REQUESTS_CA_BUNDLE for celery workers, beats as well enabled: false configName: defectdojo-ca-certs certMountPath: /certs/ certFileName: ca.crt - # A list of extra volumes to mount. This - # is useful for bringing in extra data that can be referenced by other configurations - # at a well known path, such as local_settings. The - # value of this should be a list of objects. - # - # Example: - # - # ```yaml - # extraVolumes: - # - type: configMap - # name: local_settings - # path: /app/dojo/settings/local_settings.py - # container: uwsgi - # subPath: local_settings.py - # - type: hostPath - # name: host_directory - # path: /app/dojo/settings/ - # hostPath: /var/run - # container: uwsgi - # ``` - # - # Each object supports the following keys: - # - # - `type` - Type of the volume, must be one of "configMap", "secret", "hostPath". Case sensitive. - # Even is supported we are highly recommending to avoid hostPath for security reasons (usually blocked by PSP) - # - `name` - Name of the configMap or secret to be mounted. This also controls - # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. - # - `path` - defines where file should be exposed - # - `container` - defines where volume needs to be mounted, must be uwsgi or nginx - # - `subPath` - extracts only particular file from secret or configMap - # - `pathType` - only for hostPath, can be one of the "DirectoryOrCreate", "Directory" (default), "FileOrCreate", - # "File", "Socket", "CharDevice", "BlockDevice" - # - `hostPath` - only for hostPath, file or directory from local host - # @type: array + # -- Additional environment variables injected to all Django containers and initContainers. + extraEnv: [] + # -- A list of additional initContainers to run before the uwsgi and nginx containers. + extraInitContainers: [] + # -- Array of additional volume mount points common to all containers and initContainers. + extraVolumeMounts: [] + # -- A list of extra volumes to mount. extraVolumes: [] - # This feature needs more preparation before can be enabled, please visit KUBERNETES.md#media-persistent-volume + # -- This feature needs more preparation before can be enabled, please visit KUBERNETES.md#media-persistent-volume mediaPersistentVolume: enabled: true - fsGroup: 1001 - # any name + # -- any name name: media - # could be emptyDir (not for production) or pvc + # -- could be emptyDir (not for production) or pvc type: pvc - # in case if pvc specified, should point to the already existing pvc + # -- in case if pvc specified, should point to the already existing pvc persistentVolumeClaim: - # set to true to create a new pvc and if django.mediaPersistentVolume.type is set to pvc + # -- set to true to create a new pvc and if django.mediaPersistentVolume.type is set to pvc create: true - name: + name: "" size: 5Gi + # -- check KUBERNETES.md doc first for option to choose accessModes: - - ReadWriteMany # check KUBERNETES.md doc first for option to choose - storageClassName: csi-cinder-sc-delete + - ReadWriteMany + storageClassName: "csi-cinder-sc-delete" initializer: run: true + automountServiceAccountToken: false jobAnnotations: { helm.sh/hook: "post-install,post-upgrade" } - annotations: {} + podAnnotations: {} labels: {} + # -- A positive integer will keep this Job and Pod deployed for the specified number of seconds, after which they will be removed. For all other values, the Job and Pod will remain deployed. keepSeconds: 60 affinity: {} nodeSelector: {} + tolerations: [] + # -- If empty, uses values from images.django.image + image: + registry: "" + repository: "" + tag: "" + digest: "" resources: requests: cpu: 100m @@ -317,41 +537,25 @@ initializer: limits: cpu: 2000m memory: 512Mi - - # A list of extra volumes to mount. This - # is useful for bringing in extra data that can be referenced by other configurations - # at a well known path, such as local_settings. The - # value of this should be a list of objects. - # - # Example: - # - # ```yaml - # extraVolumes: - # - type: configMap - # name: local_settings - # path: /app/dojo/settings/local_settings.py - # subPath: local_settings.py - # - type: hostPath - # name: host_directory - # path: /tmp - # hostPath: /tmp - # ``` - # - # Each object supports the following keys: - # - # - `type` - Type of the volume, must be one of "configMap", "secret", "hostPath". Case sensitive. - # Even is supported we are highly recommending to avoid hostPath for security reasons (usually blocked by PSP) - # - `name` - Name of the configMap or secret to be mounted. This also controls - # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. - # - `path` - defines where file should be exposed - # - `subPath` - extracts only particular file from secret or configMap - # - `pathType` - only for hostPath, can be one of the "DirectoryOrCreate", "Directory" (default), "FileOrCreate", - # "File", "Socket", "CharDevice", "BlockDevice" - # - `hostPath` - only for hostPath, file or directory from local host - # @type: array + # -- Container security context for the initializer Job container + containerSecurityContext: {} + # -- Additional environment variables injected to the initializer job pods. + extraEnv: [] + # -- Array of additional volume mount points for the initializer job (init)containers. + extraVolumeMounts: [] + # -- A list of extra volumes to attach to the initializer job pods. extraVolumes: [] + # -- Pod security context for the initializer Job + podSecurityContext: {} + # -- staticName defines whether name of the job will be the same (e.g., "defectdojo-initializer") + # or different every time - generated based on current time (e.g., "defectdojo-initializer-2024-11-11-18-57") + # This might be handy for ArgoCD deployments + staticName: false + +# -- For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/postgresql postgresql: + # -- To use an external instance, switch enabled to `false` and set the address in `postgresServer` below enabled: false global: defaultStorageClass: csi-cinder-sc-delete @@ -376,20 +580,20 @@ postgresql: ports: postgresql: 5432 podSecurityContext: - # Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC + # -- Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC enabled: true - # fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. + # -- fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. fsGroup: 1001 containerSecurityContext: - # Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC + # -- Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC enabled: true - # runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. + # -- runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. runAsUser: 1001 affinity: {} nodeSelector: {} volumePermissions: enabled: false - # if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above + # -- if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above containerSecurityContext: runAsUser: 1001 shmVolume: @@ -400,74 +604,88 @@ postgresql: # the line below: postgresServer: defectdojo-db-rw -postgresqlha: + +# -- Google CloudSQL support in GKE via gce-proxy +cloudsql: + # -- To use CloudSQL in GKE set 'enable: true' enabled: false - global: - defaultStorageClass: "csi-cinder-sc-delete" - pgpool: - existingSecret: "defectdojo-postgresql-ha-pgpool" - serviceAccount: - create: true - postgresql: - replicaCount: 3 - username: "defectdojo" - password: "" - repmgrPassword: "" - database: defectdojo - existingSecret: defectdojo-postgresql-ha-specific - securityContext: - enabled: true - fsGroup: 1001 - containerSecurityContext: - enabled: true - runAsUser: 1001 - pgpool: - replicaCount: 3 - adminPassword: "" - securityContext: - enabled: true - fsGroup: 1001 - volumePermissions: - enabled: true - securityContext: - runAsUser: 1001 - persistence: - enabled: true - service: - ports: - postgresql: 5432 + # -- By default, the proxy has verbose logging. Set this to false to make it less verbose + verbose: true + # -- set repo and image tag of gce-proxy + image: + repository: gcr.io/cloudsql-docker/gce-proxy + tag: 1.37.15 + pullPolicy: IfNotPresent + # -- set CloudSQL instance: 'project:zone:instancename' + instance: "" + # -- use IAM database authentication + enable_iam_login: false + # -- whether to use a private IP to connect to the database + use_private_ip: false + # -- Optional: security context for the CloudSQL proxy container. + containerSecurityContext: {} + # -- Additional environment variables for the CloudSQL proxy container. + extraEnv: [] + # -- Array of additional volume mount points for the CloudSQL proxy container + extraVolumeMounts: [] + # -- Optional: add resource requests/limits for the CloudSQL proxy container. + resources: {} -# For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/master/bitnami/redis -redis: +# -- Settings to make running the chart on GKE simpler +gke: + # -- Set to true to configure the Ingress to use the GKE provided ingress controller + useGKEIngress: false + # -- Set to true to have GKE automatically provision a TLS certificate for the host specified + # Requires useGKEIngress to be set to true + # When using this option, be sure to set django.ingress.activateTLS to false + useManagedCertificate: false + # -- Workload Identity allows the K8s service account to assume the IAM access of a GCP service account to interact with other GCP services + # Only works with serviceAccount.create = true + workloadIdentityEmail: "" + +# -- For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey +valkey: global: defaultStorageClass: "csi-cinder-sc-delete" + # -- To use an external instance, switch enabled to `false` and set the address in `redisServer` below enabled: true - scheme: "redis" - transportEncryption: - enabled: false - params: '' + #replicas: 3 auth: - existingSecret: defectdojo-redis-specific - existingSecretPasswordKey: redis-password + existingSecret: defectdojo-valkey-specific + existingSecretPasswordKey: valkey-password password: "" - architecture: standalone - replicas: 3 - # To use an external Redis instance, set enabled to false and uncomment - # the line below: - # redisServer: myrediscluster - # To use a different port for Redis (default: 6379) add a port number and uncomment the lines below: - # master: - # service: - # ports: - # redis: xxxx - -# To add extra variables not predefined by helm config it is possible to define in extraConfigs block, e.g. below: + # -- To use a different port for Redis (default: 6379) + service: + port: 6379 + # Sentinel configuration parameters + sentinel: + enabled: false + tls: + # -- If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates + # from an existing secret. + enabled: false + # existingSecret: redis-tls + # certFilename: tls.crt + # certKeyFilename: tls.key + # certCAFilename: ca.crt + serviceAccount: + # -- Autocreate dedicated service account (as part of the best practice) + create: true + +# -- To add extra variables not predefined by helm config it is possible to define in extraConfigs block, e.g. below: # NOTE Do not store any kind of sensitive information inside of it -# extraConfigs: -# DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED: 'true' -# DD_SOCIAL_AUTH_AUTH0_KEY: 'dev' -# DD_SOCIAL_AUTH_AUTH0_DOMAIN: 'xxxxx' +# ``` +# DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED: 'true' +# DD_SOCIAL_AUTH_AUTH0_KEY: 'dev' +# DD_SOCIAL_AUTH_AUTH0_DOMAIN: 'xxxxx' +# ``` +extraConfigs: {} +# -- Extra secrets can be created inside of extraSecrets block: +# NOTE This is just an exmaple, do not store sensitive data in plain text form, better inject it during the deployment/upgrade by --set extraSecrets.secret=someSecret +# ``` +# DD_SOCIAL_AUTH_AUTH0_SECRET: 'xxx' +# ``` extraSecrets: # It is not really a "secret" since it only gives possibility to auth into # the app knowing this secret using SCS keycloak, but it is only possible for @@ -483,13 +701,49 @@ extraConfigs: DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: "https://keycloak.infra.sovereignit.cloud/realms/master/protocol/openid-connect/token" DD_SOCIAL_AUTH_KEYCLOAK_KEY: "defectdojo" DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoZh7TLl+yOyRNkB4iCZAu47yZNFY9SLCd2sbN/xm5j3sqaAehJi8wELh1VKImacxPuFyidTXe+Oe/JAF2L7Wy6OOgsY6OHANYPeDrDvB4Wm/7G72rSVHib8Booy/X/3PJ+CIenmc8wfPT5tzFn5aluqd+Qk5JdNei3zhEpxvJBuhMmjNOM946/KqEQjPchRdkE9ZykBwkjzk/LajDsFDtmdTypiNrbNRG4qmfWwpWIPGEN0zOzc2bjVeOelJXdHcRLqAv6ohjHPZmdKyYWWdauyj3XtAkKFJlLOSDIYdoJScjLZcpLfnKMRpJY27fui/CEmKR6/PmIhBpODKZBTtQIDAQAB" - # -# To add (or override) extra variables which need to be pulled from another configMap, you can + +# -- To add (or override) extra variables which need to be pulled from another configMap, you can # use extraEnv. For example: -# extraEnv: +# ``` # - name: DD_DATABASE_HOST # valueFrom: # configMapKeyRef: # name: my-other-postgres-configmap # key: cluster_endpoint +# ``` +extraEnv: [] + +# -- To add code snippet which would extend setting functionality, you might add it here +# It will be stored as ConfigMap and mounted `dojo/settings/local_settings.py`. +# For more see: https://documentation.defectdojo.com/getting_started/configuration/ +# For example: +# ``` +# localsettingspy: | +# INSTALLED_APPS += ( +# 'debug_toolbar', +# ) +# MIDDLEWARE = [ +# 'debug_toolbar.middleware.DebugToolbarMiddleware', +# ] + MIDDLEWARE +# ``` +localsettingspy: "" +# -- Parameters attached to the valkey connection string, defaults to "ssl_cert_reqs=optional" if `valkey.tls.enabled` +valkeyParams: "" +# +# External database support. +# +# @schema type:[string, null] +# -- To use an external Redis instance, set `valkey.enabled` to false and set the address here: +redisServer: ~ +# -- Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redisScheme` is `rediss` +redisParams: "" +# -- Define the protocol to use with the external Redis instance +redisPort: 6379 +# -- Define the protocol to use with the external Redis instance +redisScheme: redis +# +# @schema type:[string, null] +# -- To use an external PostgreSQL instance (like CloudSQL), set `postgresql.enabled` to false, +# set items in `postgresql.auth` part for authentication, and set the address here: +postgresServer: ~ diff --git a/kubernetes/defectdojo/overlays/mgmt/kustomization.yaml b/kubernetes/defectdojo/overlays/mgmt/kustomization.yaml index 4395e3a..369c269 100644 --- a/kubernetes/defectdojo/overlays/mgmt/kustomization.yaml +++ b/kubernetes/defectdojo/overlays/mgmt/kustomization.yaml @@ -12,7 +12,7 @@ labels: helmCharts: - name: defectdojo repo: "https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/helm-charts" - version: "1.6.161" + version: "1.9.26" releasename: "main" namespace: "defectdojo" valuesFile: "helm-values.yaml" @@ -33,7 +33,7 @@ patches: - patch: |- - op: replace path: /metadata/name - value: initializer-v1-6-161 + value: initializer-v1-9-26 target: kind: Job group: batch