feat(HELM): Use Postgres from CloudPirates

Signed-off-by: kiblik <[email protected]>

Author: kiblik

helm/defectdojo/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
-- name: postgresql
-  repository: oci://us-docker.pkg.dev/os-public-container-registry/defectdojo
-  version: 16.7.27
+- name: postgres
+  repository: oci://registry-1.docker.io/cloudpirates
+  version: 0.13.3
 - name: valkey
   repository: oci://registry-1.docker.io/cloudpirates
-  version: 0.10.2
-digest: sha256:65773fc2a992a5688995a98ed396ca54de12b88fd7b124459a39961801ae62f3
-generated: "2025-11-25T20:48:39.324383+01:00"
+  version: 0.10.3
+digest: sha256:7a3415b78a329b5d7ffaa860d774d9a6050cf3ad25bb217f37e32de30c0e2cce
+generated: "2025-12-11T22:37:23.132676+01:00"

helm/defectdojo/Chart.yaml

@@ -9,10 +9,10 @@ maintainers:
     email: [email protected]
     url: https://github.com/DefectDojo/django-DefectDojo
 dependencies:
-  - name: postgresql
-    version: ~16.7.0
-    repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo"
-    condition: postgresql.enabled
+  - name: postgres
+    version: 0.13.3
+    repository: "oci://registry-1.docker.io/cloudpirates"
+    condition: postgres.enabled
   - name: valkey
     version: ~0.10.0
     repository: "oci://registry-1.docker.io/cloudpirates"
@@ -34,4 +34,6 @@ dependencies:
 #     description: Critical bug
 annotations:
   artifacthub.io/prerelease: "true"
-  artifacthub.io/changes: ""
+  artifacthub.io/changes: |
+    - kind: changed
+      description: PostgreSQL from Bitnami replaced with CloudPirates

helm/defectdojo/README.md

@@ -310,9 +310,9 @@ helm install \
   --set valkey.architecture=replication \
   --set valkey.replicaCount=3 \
   --set django.ingress.secretName="minikube-tls" \
-  --set postgresql.enabled=true \
-  --set postgresql.replication.enabled=true \
-  --set postgresql.replication.slaveReplicas=3 \
+  --set postgres.enabled=true \
+  --set postgres.replication.enabled=true \
+  --set postgres.replication.slaveReplicas=3 \
   --set createSecret=true \
   --set createValkeySecret=true \
   --set createPostgresqlSecret=true
@@ -525,8 +525,8 @@ A Helm chart for Kubernetes to install DefectDojo
 
 | Repository | Name | Version |
 |------------|------|---------|
+| oci://registry-1.docker.io/cloudpirates | postgres | 0.13.3 |
 | oci://registry-1.docker.io/cloudpirates | valkey | ~0.10.0 |
-| oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | postgresql | ~16.7.0 |
 
 ## Values
 
@@ -740,14 +740,12 @@ A Helm chart for Kubernetes to install DefectDojo
 | networkPolicy.ingress | list | `[]` | For more detailed configuration with ports and peers. It will ignore ingressExtend ``` ingress:  - from:     - podSelector:         matchLabels:           app.kubernetes.io/instance: defectdojo     - podSelector:         matchLabels:           app.kubernetes.io/instance: defectdojo-prometheus    ports:    - protocol: TCP      port: 8443 ``` |
 | networkPolicy.ingressExtend | list | `[]` | if additional labels need to be allowed (e.g. prometheus scraper) ``` ingressExtend:  - podSelector:      matchLabels:      app.kubernetes.io/instance: defectdojo-prometheus ``` |
 | podLabels | object | `{}` | Additional labels to add to the pods: ``` podLabels:   key: value ``` |
-| postgresServer | string | `nil` | To use an external PostgreSQL instance (like CloudSQL), set `postgresql.enabled` to false, set items in `postgresql.auth` part for authentication, and set the address here: |
-| postgresql | object | `{"architecture":"standalone","auth":{"database":"defectdojo","existingSecret":"defectdojo-postgresql-specific","password":"","secretKeys":{"adminPasswordKey":"postgresql-postgres-password","replicationPasswordKey":"postgresql-replication-password","userPasswordKey":"postgresql-password"},"username":"defectdojo"},"enabled":true,"primary":{"affinity":{},"containerSecurityContext":{"enabled":true,"runAsUser":1001},"name":"primary","nodeSelector":{},"persistence":{"enabled":true},"podSecurityContext":{"enabled":true,"fsGroup":1001},"service":{"ports":{"postgresql":5432}}},"shmVolume":{"chmod":{"enabled":false}},"volumePermissions":{"containerSecurityContext":{"runAsUser":1001},"enabled":false}}` | For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/postgresql |
-| postgresql.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `postgresServer` below |
-| postgresql.primary.containerSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC |
-| postgresql.primary.containerSecurityContext.runAsUser | int | `1001` | runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
-| postgresql.primary.podSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC |
-| postgresql.primary.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
-| postgresql.volumePermissions.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above |
+| postgres | object | `{"affinity":{},"auth":{"database":"defectdojo","existingSecret":"defectdojo-postgresql-specific","password":"","secretKeys":{"adminPasswordKey":"postgresql-postgres-password"},"username":"defectdojo"},"containerSecurityContext":{"runAsUser":1001},"enabled":true,"nodeSelector":{},"persistence":{"containerSecurityContext":{"runAsUser":1001},"enabled":false},"podSecurityContext":{"fsGroup":1001},"service":{"port":5432},"shmVolume":{"chmod":{"enabled":false}}}` | For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-postgres/postgres |
+| postgres.containerSecurityContext.runAsUser | int | `1001` | runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
+| postgres.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `postgresServer` below |
+| postgres.persistence.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above |
+| postgres.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
+| postgresServer | string | `nil` | To use an external PostgreSQL instance (like CloudSQL), set `postgres.enabled` to false, set items in `postgres.auth` part for authentication, and set the address here: |
 | redisParams | string | `""` | Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redisScheme` is `rediss` |
 | redisPort | int | `6379` | Define the protocol to use with the external Redis instance |
 | redisScheme | string | `"redis"` | Define the protocol to use with the external Redis instance |

helm/defectdojo/README.md.gotmpl

@@ -310,9 +310,9 @@ helm install \
   --set valkey.architecture=replication \
   --set valkey.replicaCount=3 \
   --set django.ingress.secretName="minikube-tls" \
-  --set postgresql.enabled=true \
-  --set postgresql.replication.enabled=true \
-  --set postgresql.replication.slaveReplicas=3 \
+  --set postgres.enabled=true \
+  --set postgres.replication.enabled=true \
+  --set postgres.replication.slaveReplicas=3 \
   --set createSecret=true \
   --set createValkeySecret=true \
   --set createPostgresqlSecret=true

helm/defectdojo/templates/_helpers.tpl

@@ -45,13 +45,9 @@
 {{- /*
   Determine the hostname to use for PostgreSQL/Redis.
 */}}
-{{- define "postgresql.hostname" -}}
-{{- if .Values.postgresql.enabled -}}
-{{-  if eq .Values.postgresql.architecture "replication" -}}
-{{-   printf "%s-%s-%s" .Release.Name "postgresql" .Values.postgresql.primary.name | trunc 63 | trimSuffix "-" -}}
-{{-  else -}}
-{{-   printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
-{{-  end -}}
+{{- define "postgres.hostname" -}}
+{{- if .Values.postgres.enabled -}}
+{{-  printf "%s-%s" .Release.Name "postgres" | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- .Values.postgresServer | default "127.0.0.1" | quote -}}
 {{- end -}}
@@ -233,8 +229,8 @@ Inspired by Bitnami Common Chart v2.31.7
   - name: DD_DATABASE_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }}
-        key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
+        name: {{ .Values.postgres.auth.existingSecret | default "defectdojo-postgresql-specific" }}
+        key: {{ .Values.postgres.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
   {{- with .Values.extraEnv }}
     {{- toYaml . | nindent 2 }}
   {{- end }}
@@ -274,7 +270,7 @@ Inspired by Bitnami Common Chart v2.31.7
   command: ["/cloud_sql_proxy"]
   args:
   - "-verbose={{ .Values.cloudsql.verbose }}"
-  - "-instances={{ .Values.cloudsql.instance }}=tcp:{{ .Values.postgresql.primary.service.ports.postgresql }}"
+  - "-instances={{ .Values.cloudsql.instance }}=tcp:{{ .Values.postgres.primary.service.ports.postgresql }}"
   {{- if .Values.cloudsql.enable_iam_login }}
   - "-enable_iam_login"
   {{- end }}

helm/defectdojo/templates/celery-beat-deployment.yaml

@@ -149,8 +149,8 @@ spec:
         - name: DD_DATABASE_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }}
-              key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
+              name: {{ .Values.postgres.auth.existingSecret | default "defectdojo-postgresql-specific" }}
+              key: {{ .Values.postgres.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
         - name: DD_SECRET_KEY
           valueFrom:
             secretKeyRef:

helm/defectdojo/templates/celery-worker-deployment.yaml

@@ -144,8 +144,8 @@ spec:
         - name: DD_DATABASE_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }}
-              key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
+              name: {{ .Values.postgres.auth.existingSecret | default "defectdojo-postgresql-specific" }}
+              key: {{ .Values.postgres.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
         - name: DD_SECRET_KEY
           valueFrom:
             secretKeyRef:

helm/defectdojo/templates/configmap.yaml

@@ -40,10 +40,10 @@ data:
   DD_CELERY_WORKER_CONCURRENCY: '{{ if eq .Values.celery.worker.appSettings.poolType "prefork" }}{{ .Values.celery.worker.appSettings.concurrency | default "8" }}{{ end }}'
   DD_CELERY_WORKER_PREFETCH_MULTIPLIER: '{{ if eq .Values.celery.worker.appSettings.poolType "prefork" }}{{ .Values.celery.worker.appSettings.prefetchMultiplier | default "128" }}{{ end }}'
   DD_DATABASE_ENGINE: django.db.backends.postgresql
-  DD_DATABASE_HOST: {{ template "postgresql.hostname" . }}
-  DD_DATABASE_PORT: '{{ .Values.postgresql.primary.service.ports.postgresql }}'
-  DD_DATABASE_USER: {{ .Values.postgresql.auth.username }}
-  DD_DATABASE_NAME: {{ .Values.postgresql.auth.database }}
+  DD_DATABASE_HOST: {{ template "postgres.hostname" . }}
+  DD_DATABASE_PORT: '{{ .Values.postgres.service.port }}'
+  DD_DATABASE_USER: {{ .Values.postgres.auth.username }}
+  DD_DATABASE_NAME: {{ .Values.postgres.auth.database }}
   DD_INITIALIZE: '{{ .Values.initializer.run }}'
   DD_UWSGI_ENDPOINT: /run/defectdojo/uwsgi.sock
   DD_UWSGI_HOST: localhost

helm/defectdojo/templates/django-deployment.yaml

@@ -208,8 +208,8 @@ spec:
         - name: DD_DATABASE_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }}
-              key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
+              name: {{ .Values.postgres.auth.existingSecret | default "defectdojo-postgresql-specific" }}
+              key: {{ .Values.postgres.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
         - name: DD_SECRET_KEY
           valueFrom:
             secretKeyRef:

helm/defectdojo/templates/initializer-job.yaml

@@ -153,8 +153,8 @@ spec:
         - name: DD_DATABASE_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: {{ .Values.postgresql.auth.existingSecret }}
-              key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}
+              name: {{ .Values.postgres.auth.existingSecret }}
+              key: {{ .Values.postgres.auth.secretKeys.userPasswordKey }}
         {{- with .Values.initializer.extraEnv }}
         {{- toYaml . | nindent 8 }}
         {{- end }}