diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 478fba8cbe0..5dd664ca0ff 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -76,7 +76,7 @@ jobs: --set valkey.enabled=true \ --set createValkeySecret=true \ --set postgresql.enabled=true \ - --set createPostgresqlSecret=true \ + --set createPostgresSecret=true \ --set createSecret=true - name: Check deployment status diff --git a/.github/workflows/test-helm-chart.yml b/.github/workflows/test-helm-chart.yml index e0f698ecf7c..01d01f29d87 100644 --- a/.github/workflows/test-helm-chart.yml +++ b/.github/workflows/test-helm-chart.yml @@ -103,7 +103,7 @@ jobs: # if: steps.list_changed.outputs.changed == 'true' # - name: Run chart-testing (install) - # run: ct install --config ct.yaml --target-branch ${{ env.ct-branch }} --helm-extra-args '--set createSecret=true --set createRabbitMqSecret=true --set createPostgresqlSecret=true --set timeout=900' + # run: ct install --config ct.yaml --target-branch ${{ env.ct-branch }} --helm-extra-args '--set createSecret=true --set createRabbitMqSecret=true --set createPostgresSecret=true --set timeout=900' # if: steps.list_changed.outputs.changed == 'true' docs_generation: diff --git a/docs/content/en/open_source/upgrading/2.54.md b/docs/content/en/open_source/upgrading/2.54.md index c6843812cb7..594860b13a8 100644 --- a/docs/content/en/open_source/upgrading/2.54.md +++ b/docs/content/en/open_source/upgrading/2.54.md @@ -1,8 +1,8 @@ --- title: 'Upgrading to DefectDojo Version 2.54.x' toc_hide: true -weight: -20250804 -description: Removal of django-auditlog & Dropped support for DD_PARSER_EXCLUDE & Reimport performance improvements +weight: -20251201 +description: "Removal of django-auditlog & Helm chart: Postgresql from Bitnami was replaces with CloudPirates & Dropped support for DD_PARSER_EXCLUDE & Reimport performance improvements" --- ## Breaking Change: Removal of django-auditlog @@ -39,6 +39,46 @@ The switch to `django-pghistory` provides several advantages: The backfill migration is not mandatory to succeed. If it fails for some reason, the only side effect will be that the first auditlog diff will contain all fields of an object instead just the changed fields. +## Breaking Change: Helm chart - Postgresql from Bitnami was replaces with CloudPirates + +##### Renamed + removed values + +HELM values had been changed to the following: +- `createPostgresqlSecret` → `createPostgresSecret` +- `postgresql.enabled` → `postgres.enabled` +- `postgresql.auth.username` → `postgres.auth.username` +- `postgresql.auth.password` → `postgres.auth.password` +- `postgresql.auth.database` → `postgres.auth.database` +- `postgresql.auth.existingSecret` → `postgres.auth.existingSecret`, plus value is pointing to secret `defectdojo-postgres-specific` now +- `postgresql.auth.secretKeys.adminPasswordKey` → `postgres.auth.secretKeys.adminPasswordKey`, plus value is pointing to secret `postgres-password` now +- `postgresql.auth.secretKeys.userPasswordKey` - is not used anymore +- `postgresql.auth.secretKeys.replicationPasswordKey` - is not used anymore +- `postgresql.architecture` - is not used anymore +- `postgresql.primary.service.ports.postgresql` → `postgres.service.port` +- rest of `postgresql.primary...` is not used anymore + +TODO - finish this + +The whole subchart is based on [`cloudpirates-postgres`](https://artifacthub.io/packages/helm/cloudpirates-postgres/postgres), so all additional values can be found there. + +If an external Postgres instance is being used, set the parameter `postgres.enabled` to `False`. The parameter `postgresServer` remains available and function as before. + +##### How to migrate to Valkey + +0. As always, perform a backup of your instance +1. If you would like to be 100% sure that you do not miss any async event (triggered deduplication, email notification, ...) it is recommended to perform the following substeps (if your system is not in production and/or you are willing to miss some notifications or postpone deduplication to a later time, feel free to skip these substeps) + 0. Perform the following steps with your previous version of HELM chart (not with the upgraded one - you might lose your data) + 1. Downscale all producers of async tasks: + - Set `django.replicas` to 0 (if you used HPA, adjust it based on your needs) + - Set `celery.beat.replicas` to 0 (if you used HPA, adjust it based on your needs) + - Do not change `celery.worker.replicas` (they are responsible for processing your async tasks) + 2. Wait until the processing queue is empty (choose one of the following methods): + - ``kubectl exec statefulset/defectdojo-redis-master -c redis -- redis-cli -a `kubectl get secret defectdojo-redis-specific -o go-template='{{index .data "redis-password" | base64decode}}'` llen celery`` -- should output 0 (if your HELM chart used a different name, adjust the command based on your environment) + - `kubectl logs deployment/defectdojo-celery-worker -c celery --all-pods=true --follow` -- should stop outputting new task logs +2. Replace values based on the _Renamed values_ part, update the chart version, and set the number of replicas back. Be aware that Valkey is using a password from the new location, and if you use `createRedisSecret`/`createValkeySecret` password will be regenerated. If you stored this password somewhere else, it will not be valid anymore. +3. Enjoy DefectDojo + + ## Dropped support for DD_PARSER_EXCLUDE To simplify the management of the DefectDojo application, parser exclusions are no longer controlled via the environment variable DD_PARSER_EXCLUDE or application settings. This variable is now unsupported. diff --git a/helm/defectdojo/Chart.lock b/helm/defectdojo/Chart.lock index ecf2eea23ec..cf3bda34324 100644 --- a/helm/defectdojo/Chart.lock +++ b/helm/defectdojo/Chart.lock @@ -1,9 +1,9 @@ dependencies: -- name: postgresql - repository: oci://us-docker.pkg.dev/os-public-container-registry/defectdojo - version: 16.7.27 +- name: postgres + repository: oci://registry-1.docker.io/cloudpirates + version: 0.13.3 - name: valkey repository: oci://registry-1.docker.io/cloudpirates version: 0.13.0 -digest: sha256:2ea1c1bef68a7e7fd2dee4262506c880e48c9703cb7ba9908d91b891fc630048 -generated: "2025-12-15T17:19:18.528341139Z" +digest: sha256:0e62815b84927241859692d2e9d0b0460106474f5efd23d6d63e8fd2789c2d4c +generated: "2025-12-20T00:00:22.276183+01:00" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index eb3beff0993..0ac3e4e3633 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -9,10 +9,10 @@ maintainers: email: defectdojo-project@owasp.org url: https://github.com/DefectDojo/django-DefectDojo dependencies: - - name: postgresql - version: 16.7.27 - repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo" - condition: postgresql.enabled + - name: postgres + version: 0.13.3 + repository: "oci://registry-1.docker.io/cloudpirates" + condition: postgres.enabled - name: valkey version: 0.13.0 repository: "oci://registry-1.docker.io/cloudpirates" @@ -34,4 +34,6 @@ dependencies: # description: Critical bug annotations: artifacthub.io/prerelease: "true" - artifacthub.io/changes: "" + artifacthub.io/changes: | + - kind: changed + description: PostgreSQL from Bitnami replaced with CloudPirates diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index af180999ceb..83fe5bf184f 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -95,7 +95,7 @@ helm install \ --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \ --set createSecret=true \ --set createValkeySecret=true \ - --set createPostgresqlSecret=true + --set createPostgresSecret=true ``` It usually takes up to a minute for the services to startup and the @@ -281,7 +281,7 @@ helm install \ --set django.ingress.secretName="minikube-tls" \ --set createSecret=true \ --set createValkeySecret=true \ - --set createPostgresqlSecret=true + --set createPostgresSecret=true # For high availability deploy multiple instances of Django, Celery and Valkey helm install \ @@ -296,7 +296,7 @@ helm install \ --set valkey.replicaCount=3 \ --set createSecret=true \ --set createValkeySecret=true \ - --set createPostgresqlSecret=true + --set createPostgresSecret=true # Run highly available PostgreSQL cluster # for production environment. @@ -310,12 +310,12 @@ helm install \ --set valkey.architecture=replication \ --set valkey.replicaCount=3 \ --set django.ingress.secretName="minikube-tls" \ - --set postgresql.enabled=true \ - --set postgresql.replication.enabled=true \ - --set postgresql.replication.slaveReplicas=3 \ + --set postgres.enabled=true \ + --set postgres.replication.enabled=true \ + --set postgres.replication.slaveReplicas=3 \ --set createSecret=true \ --set createValkeySecret=true \ - --set createPostgresqlSecret=true + --set createPostgresSecret=true # Note: If you run `helm install defectdojo before, you will get an error # message like `Error: release defectdojo failed: secrets "defectdojo" already @@ -393,7 +393,7 @@ Sample secret template (replace the placeholders with your PostgreSQL credential apiversion: v1 kind: Secret metadata: - name: defectdojo-postgresql-specific + name: defectdojo-postgres-specific type: Opaque stringData: # I chose stringData for better visualization of the credentials for debugging password: @@ -435,9 +435,7 @@ postgresql: database: defectdojo # your database name secretKeys: adminPasswordKey: password # the name of the field containing the password value - userPasswordKey: password # the name of the field containing the password value - replicationPasswordKey: password # the name of the field containing the password value - existingSecret: defectdojo-postgresql-specific # the secret containing your database password + existingSecret: defectdojo-postgres-specific # the secret containing your database password extraEnv: # Overwrite the database endpoint @@ -487,7 +485,7 @@ helm uninstall defectdojo To remove persistent objects not removed by uninstall (this will remove any database): ``` -kubectl delete secrets defectdojo defectdojo-redis-specific defectdojo-postgresql-specific +kubectl delete secrets defectdojo defectdojo-redis-specific defectdojo-postgres-specific kubectl delete serviceAccount defectdojo kubectl delete pvc data-defectdojo-redis-0 data-defectdojo-postgresql-0 ``` @@ -525,8 +523,8 @@ A Helm chart for Kubernetes to install DefectDojo | Repository | Name | Version | |------------|------|---------| -| oci://registry-1.docker.io/cloudpirates | valkey | 0.10.2 | -| oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | postgresql | 16.7.27 | +| oci://registry-1.docker.io/cloudpirates | postgres | 0.13.3 | +| oci://registry-1.docker.io/cloudpirates | valkey | 0.10.3 | ## Values @@ -600,7 +598,7 @@ A Helm chart for Kubernetes to install DefectDojo | cloudsql.resources | object | `{}` | Optional: add resource requests/limits for the CloudSQL proxy container. | | cloudsql.use_private_ip | bool | `false` | whether to use a private IP to connect to the database | | cloudsql.verbose | bool | `true` | By default, the proxy has verbose logging. Set this to false to make it less verbose | -| createPostgresqlSecret | bool | `false` | create postgresql secret in defectdojo chart, outside of postgresql chart | +| createPostgresSecret | bool | `false` | create postgresql secret in defectdojo chart, outside of postgresql chart | | createSecret | bool | `false` | create defectdojo specific secret | | createValkeySecret | bool | `false` | create valkey secret in defectdojo chart, outside of valkey chart | | dbMigrationChecker.containerSecurityContext | object | `{}` | Container security context for the DB migration checker. | @@ -740,14 +738,12 @@ A Helm chart for Kubernetes to install DefectDojo | networkPolicy.ingress | list | `[]` | For more detailed configuration with ports and peers. It will ignore ingressExtend ``` ingress: - from: - podSelector: matchLabels: app.kubernetes.io/instance: defectdojo - podSelector: matchLabels: app.kubernetes.io/instance: defectdojo-prometheus ports: - protocol: TCP port: 8443 ``` | | networkPolicy.ingressExtend | list | `[]` | if additional labels need to be allowed (e.g. prometheus scraper) ``` ingressExtend: - podSelector: matchLabels: app.kubernetes.io/instance: defectdojo-prometheus ``` | | podLabels | object | `{}` | Additional labels to add to the pods: ``` podLabels: key: value ``` | -| postgresServer | string | `nil` | To use an external PostgreSQL instance (like CloudSQL), set `postgresql.enabled` to false, set items in `postgresql.auth` part for authentication, and set the address here: | -| postgresql | object | `{"architecture":"standalone","auth":{"database":"defectdojo","existingSecret":"defectdojo-postgresql-specific","password":"","secretKeys":{"adminPasswordKey":"postgresql-postgres-password","replicationPasswordKey":"postgresql-replication-password","userPasswordKey":"postgresql-password"},"username":"defectdojo"},"enabled":true,"primary":{"affinity":{},"containerSecurityContext":{"enabled":true,"runAsUser":1001},"name":"primary","nodeSelector":{},"persistence":{"enabled":true},"podSecurityContext":{"enabled":true,"fsGroup":1001},"service":{"ports":{"postgresql":5432}}},"shmVolume":{"chmod":{"enabled":false}},"volumePermissions":{"containerSecurityContext":{"runAsUser":1001},"enabled":false}}` | For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/postgresql | -| postgresql.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `postgresServer` below | -| postgresql.primary.containerSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC | -| postgresql.primary.containerSecurityContext.runAsUser | int | `1001` | runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. | -| postgresql.primary.podSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC | -| postgresql.primary.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. | -| postgresql.volumePermissions.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above | +| postgres | object | `{"affinity":{},"auth":{"database":"defectdojo","existingSecret":"defectdojo-postgres-specific","password":"","secretKeys":{"adminPasswordKey":"postgres-password"},"username":"defectdojo"},"containerSecurityContext":{"runAsUser":1001},"enabled":true,"nodeSelector":{},"persistence":{"containerSecurityContext":{"runAsUser":1001},"enabled":false},"podSecurityContext":{"fsGroup":1001},"service":{"port":5432},"shmVolume":{"chmod":{"enabled":false}}}` | For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-postgres/postgres | +| postgres.containerSecurityContext.runAsUser | int | `1001` | runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. | +| postgres.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `postgresServer` below | +| postgres.persistence.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above | +| postgres.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. | +| postgresServer | string | `nil` | To use an external PostgreSQL instance (like CloudSQL), set `postgres.enabled` to false, set items in `postgres.auth` part for authentication, and set the address here: | | redisParams | string | `""` | Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redisScheme` is `rediss` | | redisPort | int | `6379` | Define the protocol to use with the external Redis instance | | redisScheme | string | `"redis"` | Define the protocol to use with the external Redis instance | diff --git a/helm/defectdojo/README.md.gotmpl b/helm/defectdojo/README.md.gotmpl index b596d0dff6c..7b13dcab22f 100644 --- a/helm/defectdojo/README.md.gotmpl +++ b/helm/defectdojo/README.md.gotmpl @@ -95,7 +95,7 @@ helm install \ --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \ --set createSecret=true \ --set createValkeySecret=true \ - --set createPostgresqlSecret=true + --set createPostgresSecret=true ``` It usually takes up to a minute for the services to startup and the @@ -281,7 +281,7 @@ helm install \ --set django.ingress.secretName="minikube-tls" \ --set createSecret=true \ --set createValkeySecret=true \ - --set createPostgresqlSecret=true + --set createPostgresSecret=true # For high availability deploy multiple instances of Django, Celery and Valkey helm install \ @@ -296,7 +296,7 @@ helm install \ --set valkey.replicaCount=3 \ --set createSecret=true \ --set createValkeySecret=true \ - --set createPostgresqlSecret=true + --set createPostgresSecret=true # Run highly available PostgreSQL cluster # for production environment. @@ -310,12 +310,12 @@ helm install \ --set valkey.architecture=replication \ --set valkey.replicaCount=3 \ --set django.ingress.secretName="minikube-tls" \ - --set postgresql.enabled=true \ - --set postgresql.replication.enabled=true \ - --set postgresql.replication.slaveReplicas=3 \ + --set postgres.enabled=true \ + --set postgres.replication.enabled=true \ + --set postgres.replication.slaveReplicas=3 \ --set createSecret=true \ --set createValkeySecret=true \ - --set createPostgresqlSecret=true + --set createPostgresSecret=true # Note: If you run `helm install defectdojo before, you will get an error # message like `Error: release defectdojo failed: secrets "defectdojo" already @@ -393,7 +393,7 @@ Sample secret template (replace the placeholders with your PostgreSQL credential apiversion: v1 kind: Secret metadata: - name: defectdojo-postgresql-specific + name: defectdojo-postgres-specific type: Opaque stringData: # I chose stringData for better visualization of the credentials for debugging password: @@ -435,9 +435,7 @@ postgresql: database: defectdojo # your database name secretKeys: adminPasswordKey: password # the name of the field containing the password value - userPasswordKey: password # the name of the field containing the password value - replicationPasswordKey: password # the name of the field containing the password value - existingSecret: defectdojo-postgresql-specific # the secret containing your database password + existingSecret: defectdojo-postgres-specific # the secret containing your database password extraEnv: # Overwrite the database endpoint @@ -489,7 +487,7 @@ helm uninstall defectdojo To remove persistent objects not removed by uninstall (this will remove any database): ``` -kubectl delete secrets defectdojo defectdojo-redis-specific defectdojo-postgresql-specific +kubectl delete secrets defectdojo defectdojo-redis-specific defectdojo-postgres-specific kubectl delete serviceAccount defectdojo kubectl delete pvc data-defectdojo-redis-0 data-defectdojo-postgresql-0 ``` diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index aaf7981e34e..c5a8730e008 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -45,13 +45,9 @@ {{- /* Determine the hostname to use for PostgreSQL/Redis. */}} -{{- define "postgresql.hostname" -}} -{{- if .Values.postgresql.enabled -}} -{{- if eq .Values.postgresql.architecture "replication" -}} -{{- printf "%s-%s-%s" .Release.Name "postgresql" .Values.postgresql.primary.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- define "postgres.hostname" -}} +{{- if .Values.postgres.enabled -}} +{{- printf "%s-%s" .Release.Name "postgres" | trunc 63 | trimSuffix "-" -}} {{- else -}} {{- .Values.postgresServer | default "127.0.0.1" | quote -}} {{- end -}} @@ -233,8 +229,8 @@ Inspired by Bitnami Common Chart v2.31.7 - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }} - key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }} + name: {{ .Values.postgres.auth.existingSecret | default "defectdojo-postgres-specific" }} + key: {{ .Values.postgres.auth.secretKeys.adminPasswordKey | default "postgresql-password" }} {{- with .Values.extraEnv }} {{- toYaml . | nindent 2 }} {{- end }} @@ -274,7 +270,7 @@ Inspired by Bitnami Common Chart v2.31.7 command: ["/cloud_sql_proxy"] args: - "-verbose={{ .Values.cloudsql.verbose }}" - - "-instances={{ .Values.cloudsql.instance }}=tcp:{{ .Values.postgresql.primary.service.ports.postgresql }}" + - "-instances={{ .Values.cloudsql.instance }}=tcp:{{ .Values.postgres.primary.service.ports.postgresql }}" {{- if .Values.cloudsql.enable_iam_login }} - "-enable_iam_login" {{- end }} diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index be3c5e84ef0..1a0cafe8377 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -149,8 +149,8 @@ spec: - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }} - key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }} + name: {{ .Values.postgres.auth.existingSecret | default "defectdojo-postgres-specific" }} + key: {{ .Values.postgres.auth.secretKeys.adminPasswordKey | default "postgresql-password" }} - name: DD_SECRET_KEY valueFrom: secretKeyRef: diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index 30620c91155..d091e554e38 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -144,8 +144,8 @@ spec: - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }} - key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }} + name: {{ .Values.postgres.auth.existingSecret | default "defectdojo-postgres-specific" }} + key: {{ .Values.postgres.auth.secretKeys.adminPasswordKey | default "postgresql-password" }} - name: DD_SECRET_KEY valueFrom: secretKeyRef: diff --git a/helm/defectdojo/templates/configmap.yaml b/helm/defectdojo/templates/configmap.yaml index 8f1d510a1a4..604d1e3d755 100644 --- a/helm/defectdojo/templates/configmap.yaml +++ b/helm/defectdojo/templates/configmap.yaml @@ -40,10 +40,10 @@ data: DD_CELERY_WORKER_CONCURRENCY: '{{ if eq .Values.celery.worker.appSettings.poolType "prefork" }}{{ .Values.celery.worker.appSettings.concurrency | default "8" }}{{ end }}' DD_CELERY_WORKER_PREFETCH_MULTIPLIER: '{{ if eq .Values.celery.worker.appSettings.poolType "prefork" }}{{ .Values.celery.worker.appSettings.prefetchMultiplier | default "128" }}{{ end }}' DD_DATABASE_ENGINE: django.db.backends.postgresql - DD_DATABASE_HOST: {{ template "postgresql.hostname" . }} - DD_DATABASE_PORT: '{{ .Values.postgresql.primary.service.ports.postgresql }}' - DD_DATABASE_USER: {{ .Values.postgresql.auth.username }} - DD_DATABASE_NAME: {{ .Values.postgresql.auth.database }} + DD_DATABASE_HOST: {{ template "postgres.hostname" . }} + DD_DATABASE_PORT: '{{ .Values.postgres.service.port }}' + DD_DATABASE_USER: {{ .Values.postgres.auth.username }} + DD_DATABASE_NAME: {{ .Values.postgres.auth.database }} DD_INITIALIZE: '{{ .Values.initializer.run }}' DD_UWSGI_ENDPOINT: /run/defectdojo/uwsgi.sock DD_UWSGI_HOST: localhost diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index 0a5e86ff420..2b3408a87af 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -208,8 +208,8 @@ spec: - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }} - key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }} + name: {{ .Values.postgres.auth.existingSecret | default "defectdojo-postgres-specific" }} + key: {{ .Values.postgres.auth.secretKeys.adminPasswordKey | default "postgresql-password" }} - name: DD_SECRET_KEY valueFrom: secretKeyRef: diff --git a/helm/defectdojo/templates/initializer-job.yaml b/helm/defectdojo/templates/initializer-job.yaml index 15d56d4f7fc..db5481bc954 100644 --- a/helm/defectdojo/templates/initializer-job.yaml +++ b/helm/defectdojo/templates/initializer-job.yaml @@ -153,8 +153,8 @@ spec: - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.postgresql.auth.existingSecret }} - key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey }} + name: {{ .Values.postgres.auth.existingSecret }} + key: {{ .Values.postgres.auth.secretKeys.adminPasswordKey }} {{- with .Values.initializer.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/helm/defectdojo/templates/secret-postgres.yaml b/helm/defectdojo/templates/secret-postgres.yaml new file mode 100644 index 00000000000..9a0c9030f16 --- /dev/null +++ b/helm/defectdojo/templates/secret-postgres.yaml @@ -0,0 +1,40 @@ +{{- if .Values.createPostgresSecret -}} +apiVersion: v1 +kind: Secret +metadata: + annotations: + {{- if (not .Values.disableHooks) }} + helm.sh/resource-policy: keep + helm.sh/hook: "pre-install" + helm.sh/hook-delete-policy: "before-hook-creation" + {{- end }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} + {{ $key }}: {{ quote $value }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} + {{- end }} + name: {{ .Values.postgres.auth.existingSecret }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: +{{- if .Values.postgres.auth.password }} + {{ .Values.postgres.auth.secretKeys.adminPasswordKey }}: {{ .Values.postgres.auth.password | b64enc | quote }} +{{- else }} + {{- $postgresRandomPassword := randAlphaNum 16 | b64enc | quote }} + {{ .Values.postgres.auth.secretKeys.adminPasswordKey }}: {{ $postgresRandomPassword }} +{{- end }} +{{- end }} + +--- +{{- if .Values.createPostgresSecret -}} +{{- fail "Error: 'createPostgresSecret' value is not supported anymore. Because of license reason, DefectDojo migrated from Bitnami to CloudPirates chart. Use 'createValkeySecret' instead. To be sure that your Postgres is migrated correctly, please follow release notes." }} +{{- end }} +{{- if .Values.postgresql -}} +{{- fail "Error: PostgreSQL values had been migrated to another place. If you have any values in `postgresql:` section in `values.yaml` file, please migrate them to `postgres:` section. If you are using external Postgres instance, related values need to be changed. For more information, please follow release notes." }} +{{- end }} \ No newline at end of file diff --git a/helm/defectdojo/templates/secret-postgresql.yaml b/helm/defectdojo/templates/secret-postgresql.yaml deleted file mode 100644 index 57f38a0e883..00000000000 --- a/helm/defectdojo/templates/secret-postgresql.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if .Values.createPostgresqlSecret -}} -apiVersion: v1 -kind: Secret -metadata: - annotations: - {{- if (not .Values.disableHooks) }} - helm.sh/resource-policy: keep - helm.sh/hook: "pre-install" - helm.sh/hook-delete-policy: "before-hook-creation" - {{- end }} - {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} - {{ $key }}: {{ quote $value }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- range $key, $value := .Values.extraLabels }} - {{ $key }}: {{ quote $value }} - {{- end }} - name: {{ .Values.postgresql.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -data: -{{- if .Values.postgresql.auth.password }} - {{ .Values.postgresql.auth.secretKeys.adminPasswordKey }}: {{ .Values.postgresql.auth.password | b64enc | quote }} - {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}: {{ .Values.postgresql.auth.password | b64enc | quote }} -{{- else }} - {{- $postgresRandomPassword := randAlphaNum 16 | b64enc | quote }} - {{ .Values.postgresql.auth.secretKeys.adminPasswordKey }}: {{ $postgresRandomPassword }} - {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}: {{ $postgresRandomPassword }} -{{- end }} -# TODO: check if replication password in injected into the values -{{ if eq .Values.postgresql.architecture "replication" -}} -{{- if .Values.postgresql.postgresqlReplicationPassword }} - {{ .Values.postgresql.auth.secretKeys.replicationPasswordKey }}: {{ .Values.postgresql.postgresqlReplicationPassword | b64enc | quote }} -{{- else }} - {{ .Values.postgresql.auth.secretKeys.replicationPasswordKey }}: {{ randAlphaNum 10 | b64enc | quote }} -{{- end }} -{{- end }} -{{- end }} diff --git a/helm/defectdojo/templates/tests/unit-tests.yaml b/helm/defectdojo/templates/tests/unit-tests.yaml index efa6b2c39c3..d6d05df8ff3 100644 --- a/helm/defectdojo/templates/tests/unit-tests.yaml +++ b/helm/defectdojo/templates/tests/unit-tests.yaml @@ -31,7 +31,7 @@ spec: name: {{ $fullName }} env: - name: DD_DATABASE_USER - value: {{ .Values.postgresql.auth.username }} + value: {{ .Values.postgres.auth.username }} - name: DD_CELERY_BROKER_PASSWORD valueFrom: secretKeyRef: @@ -41,8 +41,8 @@ spec: - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.postgresql.auth.existingSecret }} - key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey }} + name: {{ .Values.postgres.auth.existingSecret }} + key: {{ .Values.postgres.auth.secretKeys.adminPasswordKey }} - name: DD_DEBUG value: 'True' - name: DD_SECRET_KEY diff --git a/helm/defectdojo/values.schema.json b/helm/defectdojo/values.schema.json index 212f89b850e..2fe3b5de7ad 100644 --- a/helm/defectdojo/values.schema.json +++ b/helm/defectdojo/values.schema.json @@ -376,7 +376,7 @@ } } }, - "createPostgresqlSecret": { + "createPostgresSecret": { "description": "create postgresql secret in defectdojo chart, outside of postgresql chart", "type": "boolean" }, @@ -1175,19 +1175,12 @@ "description": "Additional labels to add to the pods: ``` podLabels: key: value ```", "type": "object" }, - "postgresServer": { - "description": "To use an external PostgreSQL instance (like CloudSQL), set `postgresql.enabled` to false, set items in `postgresql.auth` part for authentication, and set the address here:", - "type": [ - "string", - "null" - ] - }, - "postgresql": { - "description": "For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/postgresql", + "postgres": { + "description": "For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-postgres/postgres", "type": "object", "properties": { - "architecture": { - "type": "string" + "affinity": { + "type": "object" }, "auth": { "type": "object", @@ -1206,12 +1199,6 @@ "properties": { "adminPasswordKey": { "type": "string" - }, - "replicationPasswordKey": { - "type": "string" - }, - "userPasswordKey": { - "type": "string" } } }, @@ -1220,103 +1207,78 @@ } } }, + "containerSecurityContext": { + "type": "object", + "properties": { + "runAsUser": { + "description": "runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift \"restricted SCC\" to work successfully.", + "type": "integer" + } + } + }, "enabled": { "description": "To use an external instance, switch enabled to `false` and set the address in `postgresServer` below", "type": "boolean" }, - "primary": { + "nodeSelector": { + "type": "object" + }, + "persistence": { "type": "object", "properties": { - "affinity": { - "type": "object" - }, "containerSecurityContext": { + "description": "if using restricted SCC set runAsUser: \"auto\" and if running under anyuid SCC - runAsUser needs to match the line above", "type": "object", "properties": { - "enabled": { - "description": "Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC", - "type": "boolean" - }, "runAsUser": { - "description": "runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift \"restricted SCC\" to work successfully.", "type": "integer" } } }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "persistence": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "podSecurityContext": { - "type": "object", - "properties": { - "enabled": { - "description": "Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC", - "type": "boolean" - }, - "fsGroup": { - "description": "fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift \"restricted SCC\" to work successfully.", - "type": "integer" - } - } - }, - "service": { - "type": "object", - "properties": { - "ports": { - "type": "object", - "properties": { - "postgresql": { - "type": "integer" - } - } - } - } + "enabled": { + "type": "boolean" } } }, - "shmVolume": { + "podSecurityContext": { "type": "object", "properties": { - "chmod": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } + "fsGroup": { + "description": "fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift \"restricted SCC\" to work successfully.", + "type": "integer" } } }, - "volumePermissions": { + "service": { "type": "object", "properties": { - "containerSecurityContext": { - "description": "if using restricted SCC set runAsUser: \"auto\" and if running under anyuid SCC - runAsUser needs to match the line above", + "port": { + "type": "integer" + } + } + }, + "shmVolume": { + "type": "object", + "properties": { + "chmod": { "type": "object", "properties": { - "runAsUser": { - "type": "integer" + "enabled": { + "type": "boolean" } } - }, - "enabled": { - "type": "boolean" } } } } }, + "postgresServer": { + "description": "To use an external PostgreSQL instance (like CloudSQL), set `postgres.enabled` to false, set items in `postgres.auth` part for authentication, and set the address here:", + "type": [ + "string", + "null" + ] + }, "redisParams": { "description": "Parameters attached to the redis connection string, defaults to \"ssl_cert_reqs=optional\" if `redisScheme` is `rediss`", "type": "string" diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 66bdb88efeb..9d1a512a06e 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -12,7 +12,7 @@ createSecret: false # -- create valkey secret in defectdojo chart, outside of valkey chart createValkeySecret: false # -- create postgresql secret in defectdojo chart, outside of postgresql chart -createPostgresqlSecret: false +createPostgresSecret: false # -- Track configuration (trackConfig): will automatically respin application pods in case of config changes detection # can be: # 1. disabled (default) @@ -550,45 +550,33 @@ initializer: # This might be handy for ArgoCD deployments staticName: false -# -- For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/postgresql -postgresql: +# -- For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-postgres/postgres +postgres: # -- To use an external instance, switch enabled to `false` and set the address in `postgresServer` below enabled: true auth: username: defectdojo password: "" database: defectdojo - existingSecret: defectdojo-postgresql-specific + existingSecret: defectdojo-postgres-specific secretKeys: - adminPasswordKey: postgresql-postgres-password - userPasswordKey: postgresql-password - replicationPasswordKey: postgresql-replication-password - architecture: standalone - primary: - name: primary - persistence: - enabled: true - service: - ports: - postgresql: 5432 - podSecurityContext: - # -- Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC - enabled: true - # -- fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. - fsGroup: 1001 - containerSecurityContext: - # -- Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC - enabled: true - # -- runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. - runAsUser: 1001 - affinity: {} - nodeSelector: {} - volumePermissions: + adminPasswordKey: postgres-password + service: + port: 5432 + podSecurityContext: + # -- fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. + fsGroup: 1001 # TODO: check this because in default, there is 999 + containerSecurityContext: + # -- runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. + runAsUser: 1001 # TODO: check this because in default, there is 999 + affinity: {} + nodeSelector: {} + persistence: enabled: false # -- if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above - containerSecurityContext: + containerSecurityContext: # TODO: check this because it is ont in cloudPirates runAsUser: 1001 - shmVolume: + shmVolume: # TODO: check this because it is ont in cloudPirates chmod: enabled: false @@ -711,6 +699,6 @@ redisPort: 6379 redisScheme: redis # # @schema type:[string, null] -# -- To use an external PostgreSQL instance (like CloudSQL), set `postgresql.enabled` to false, -# set items in `postgresql.auth` part for authentication, and set the address here: +# -- To use an external PostgreSQL instance (like CloudSQL), set `postgres.enabled` to false, +# set items in `postgres.auth` part for authentication, and set the address here: postgresServer: ~