DefectDojo · kiblik · Dec 11, 2025
@@ -76,7 +76,7 @@ jobs:
                --set valkey.enabled=true \
                --set createValkeySecret=true \
                --set postgresql.enabled=true \
-               --set createPostgresqlSecret=true \
+               --set createPostgresSecret=true \
                --set createSecret=true
 
       - name: Check deployment status

@@ -103,7 +103,7 @@ jobs:
       #  if: steps.list_changed.outputs.changed == 'true'
 
       # - name: Run chart-testing (install)
-      #   run: ct install --config ct.yaml --target-branch ${{ env.ct-branch }} --helm-extra-args '--set createSecret=true --set createRabbitMqSecret=true --set createPostgresqlSecret=true --set timeout=900'
+      #   run: ct install --config ct.yaml --target-branch ${{ env.ct-branch }} --helm-extra-args '--set createSecret=true --set createRabbitMqSecret=true --set createPostgresSecret=true --set timeout=900'
       #  if: steps.list_changed.outputs.changed == 'true'
 
   docs_generation:

@@ -1,8 +1,8 @@
 ---
 title: 'Upgrading to DefectDojo Version 2.54.x'
 toc_hide: true
-weight: -20250804
-description: Removal of django-auditlog & Dropped support for DD_PARSER_EXCLUDE & Reimport performance improvements
+weight: -20251201
+description: "Removal of django-auditlog & Helm chart: Postgresql from Bitnami was replaces with CloudPirates & Dropped support for DD_PARSER_EXCLUDE & Reimport performance improvements"
 ---
 
 ## Breaking Change: Removal of django-auditlog
@@ -39,6 +39,46 @@ The switch to `django-pghistory` provides several advantages:
 
 The backfill migration is not mandatory to succeed. If it fails for some reason, the only side effect will be that the first auditlog diff will contain all fields of an object instead just the changed fields.
 
+## Breaking Change: Helm chart - Postgresql from Bitnami was replaces with CloudPirates
+
+##### Renamed + removed values
+
+HELM values had been changed to the following:
+- `createPostgresqlSecret` → `createPostgresSecret`
+- `postgresql.enabled` → `postgres.enabled`
+- `postgresql.auth.username` → `postgres.auth.username`
+- `postgresql.auth.password` → `postgres.auth.password`
+- `postgresql.auth.database` → `postgres.auth.database`
+- `postgresql.auth.existingSecret` → `postgres.auth.existingSecret`, plus value is pointing to secret `defectdojo-postgres-specific` now
+- `postgresql.auth.secretKeys.adminPasswordKey` → `postgres.auth.secretKeys.adminPasswordKey`, plus value is pointing to secret `postgres-password` now
+- `postgresql.auth.secretKeys.userPasswordKey` - is not used anymore
+- `postgresql.auth.secretKeys.replicationPasswordKey` - is not used anymore
+- `postgresql.architecture` - is not used anymore
+- `postgresql.primary.service.ports.postgresql` → `postgres.service.port`
+- rest of `postgresql.primary...` is not used anymore
+
+TODO - finish this
+
+The whole subchart is based on [`cloudpirates-postgres`](https://artifacthub.io/packages/helm/cloudpirates-postgres/postgres), so all additional values can be found there.
+
+If an external Postgres instance is being used, set the parameter `postgres.enabled` to `False`. The parameter `postgresServer` remains available and function as before.
+
+##### How to migrate to Valkey
+
+0. As always, perform a backup of your instance
+1. If you would like to be 100% sure that you do not miss any async event (triggered deduplication, email notification, ...) it is recommended to perform the following substeps (if your system is not in production and/or you are willing to miss some notifications or postpone deduplication to a later time, feel free to skip these substeps)
+   0. Perform the following steps with your previous version of HELM chart (not with the upgraded one - you might lose your data)
+   1. Downscale all producers of async tasks:
+      - Set `django.replicas` to 0 (if you used HPA, adjust it based on your needs)
+      - Set `celery.beat.replicas` to 0 (if you used HPA, adjust it based on your needs)
+      - Do not change `celery.worker.replicas` (they are responsible for processing your async tasks)
+   2. Wait until the processing queue is empty (choose one of the following methods):
+      - ``kubectl exec statefulset/defectdojo-redis-master -c redis -- redis-cli -a `kubectl get secret defectdojo-redis-specific -o go-template='{{index .data "redis-password" | base64decode}}'` llen celery`` -- should output 0 (if your HELM chart used a different name, adjust the command based on your environment)
+      - `kubectl logs deployment/defectdojo-celery-worker -c celery --all-pods=true --follow` -- should stop outputting new task logs
+2. Replace values based on the _Renamed values_ part, update the chart version, and set the number of replicas back. Be aware that Valkey is using a password from the new location, and if you use `createRedisSecret`/`createValkeySecret` password will be regenerated. If you stored this password somewhere else, it will not be valid anymore.
+3. Enjoy DefectDojo
+
+
 ## Dropped support for DD_PARSER_EXCLUDE
 
 To simplify the management of the DefectDojo application, parser exclusions are no longer controlled via the environment variable DD_PARSER_EXCLUDE or application settings. This variable is now unsupported.

@@ -1,9 +1,9 @@
 dependencies:
-- name: postgresql
-  repository: oci://us-docker.pkg.dev/os-public-container-registry/defectdojo
-  version: 16.7.27
+- name: postgres
+  repository: oci://registry-1.docker.io/cloudpirates
+  version: 0.13.3
 - name: valkey
   repository: oci://registry-1.docker.io/cloudpirates
   version: 0.13.0
-digest: sha256:2ea1c1bef68a7e7fd2dee4262506c880e48c9703cb7ba9908d91b891fc630048
-generated: "2025-12-15T17:19:18.528341139Z"
+digest: sha256:0e62815b84927241859692d2e9d0b0460106474f5efd23d6d63e8fd2789c2d4c
+generated: "2025-12-20T00:00:22.276183+01:00"
@@ -9,10 +9,10 @@ maintainers:
     email: [email protected]
     url: https://github.com/DefectDojo/django-DefectDojo
 dependencies:
-  - name: postgresql
-    version: 16.7.27
-    repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo"
-    condition: postgresql.enabled
+  - name: postgres
+    version: 0.13.3
+    repository: "oci://registry-1.docker.io/cloudpirates"
+    condition: postgres.enabled
   - name: valkey
     version: 0.13.0
     repository: "oci://registry-1.docker.io/cloudpirates"
@@ -34,4 +34,6 @@ dependencies:
 #     description: Critical bug
 annotations:
   artifacthub.io/prerelease: "true"
-  artifacthub.io/changes: ""
+  artifacthub.io/changes: |
+    - kind: changed
+      description: PostgreSQL from Bitnami replaced with CloudPirates
@@ -95,7 +95,7 @@ helm install \
   --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \
   --set createSecret=true \
   --set createValkeySecret=true \
-  --set createPostgresqlSecret=true
+  --set createPostgresSecret=true
 ```
 
 It usually takes up to a minute for the services to startup and the
@@ -281,7 +281,7 @@ helm install \
   --set django.ingress.secretName="minikube-tls" \
   --set createSecret=true \
   --set createValkeySecret=true \
-  --set createPostgresqlSecret=true
+  --set createPostgresSecret=true
 
 # For high availability deploy multiple instances of Django, Celery and Valkey
 helm install \
@@ -296,7 +296,7 @@ helm install \
   --set valkey.replicaCount=3 \
   --set createSecret=true \
   --set createValkeySecret=true \
-  --set createPostgresqlSecret=true
+  --set createPostgresSecret=true
 
 # Run highly available PostgreSQL cluster
 # for production environment.
@@ -310,12 +310,12 @@ helm install \
   --set valkey.architecture=replication \
   --set valkey.replicaCount=3 \
   --set django.ingress.secretName="minikube-tls" \
-  --set postgresql.enabled=true \
-  --set postgresql.replication.enabled=true \
-  --set postgresql.replication.slaveReplicas=3 \
+  --set postgres.enabled=true \
+  --set postgres.replication.enabled=true \
+  --set postgres.replication.slaveReplicas=3 \
   --set createSecret=true \
   --set createValkeySecret=true \
-  --set createPostgresqlSecret=true
+  --set createPostgresSecret=true
 
 # Note: If you run `helm install defectdojo before, you will get an error
 # message like `Error: release defectdojo failed: secrets "defectdojo" already
@@ -393,7 +393,7 @@ Sample secret template (replace the placeholders with your PostgreSQL credential
 apiversion: v1
 kind: Secret
 metadata: 
-  name: defectdojo-postgresql-specific 
+  name: defectdojo-postgres-specific 
 type: Opaque
 stringData:  # I chose stringData for better visualization of the credentials for debugging
   password: <user-password>
@@ -435,9 +435,7 @@ postgresql:
     database: defectdojo # your database name
     secretKeys:
       adminPasswordKey: password # the name of the field containing the password value
-      userPasswordKey: password # the name of the field containing the password value
-      replicationPasswordKey: password # the name of the field containing the password value
-    existingSecret: defectdojo-postgresql-specific # the secret containing your database password
+    existingSecret: defectdojo-postgres-specific # the secret containing your database password
 
 extraEnv:
 # Overwrite the database endpoint
@@ -487,7 +485,7 @@ helm uninstall defectdojo
 To remove persistent objects not removed by uninstall (this will remove any database):
 
 ```
-kubectl delete secrets defectdojo defectdojo-redis-specific defectdojo-postgresql-specific
+kubectl delete secrets defectdojo defectdojo-redis-specific defectdojo-postgres-specific
 kubectl delete serviceAccount defectdojo
 kubectl delete pvc data-defectdojo-redis-0 data-defectdojo-postgresql-0
 ```
@@ -525,8 +523,8 @@ A Helm chart for Kubernetes to install DefectDojo
 
 | Repository | Name | Version |
 |------------|------|---------|
-| oci://registry-1.docker.io/cloudpirates | valkey | 0.10.2 |
-| oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | postgresql | 16.7.27 |
+| oci://registry-1.docker.io/cloudpirates | postgres | 0.13.3 |
+| oci://registry-1.docker.io/cloudpirates | valkey | 0.10.3 |
 
 ## Values
 
@@ -600,7 +598,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | cloudsql.resources | object | `{}` | Optional: add resource requests/limits for the CloudSQL proxy container. |
 | cloudsql.use_private_ip | bool | `false` | whether to use a private IP to connect to the database |
 | cloudsql.verbose | bool | `true` | By default, the proxy has verbose logging. Set this to false to make it less verbose |
-| createPostgresqlSecret | bool | `false` | create postgresql secret in defectdojo chart, outside of postgresql chart |
+| createPostgresSecret | bool | `false` | create postgresql secret in defectdojo chart, outside of postgresql chart |
 | createSecret | bool | `false` | create defectdojo specific secret |
 | createValkeySecret | bool | `false` | create valkey secret in defectdojo chart, outside of valkey chart |
 | dbMigrationChecker.containerSecurityContext | object | `{}` | Container security context for the DB migration checker. |
@@ -740,14 +738,12 @@ A Helm chart for Kubernetes to install DefectDojo
 | networkPolicy.ingress | list | `[]` | For more detailed configuration with ports and peers. It will ignore ingressExtend ``` ingress:  - from:     - podSelector:         matchLabels:           app.kubernetes.io/instance: defectdojo     - podSelector:         matchLabels:           app.kubernetes.io/instance: defectdojo-prometheus    ports:    - protocol: TCP      port: 8443 ``` |
 | networkPolicy.ingressExtend | list | `[]` | if additional labels need to be allowed (e.g. prometheus scraper) ``` ingressExtend:  - podSelector:      matchLabels:      app.kubernetes.io/instance: defectdojo-prometheus ``` |
 | podLabels | object | `{}` | Additional labels to add to the pods: ``` podLabels:   key: value ``` |
-| postgresServer | string | `nil` | To use an external PostgreSQL instance (like CloudSQL), set `postgresql.enabled` to false, set items in `postgresql.auth` part for authentication, and set the address here: |
-| postgresql | object | `{"architecture":"standalone","auth":{"database":"defectdojo","existingSecret":"defectdojo-postgresql-specific","password":"","secretKeys":{"adminPasswordKey":"postgresql-postgres-password","replicationPasswordKey":"postgresql-replication-password","userPasswordKey":"postgresql-password"},"username":"defectdojo"},"enabled":true,"primary":{"affinity":{},"containerSecurityContext":{"enabled":true,"runAsUser":1001},"name":"primary","nodeSelector":{},"persistence":{"enabled":true},"podSecurityContext":{"enabled":true,"fsGroup":1001},"service":{"ports":{"postgresql":5432}}},"shmVolume":{"chmod":{"enabled":false}},"volumePermissions":{"containerSecurityContext":{"runAsUser":1001},"enabled":false}}` | For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/postgresql |
-| postgresql.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `postgresServer` below |
-| postgresql.primary.containerSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC |
-| postgresql.primary.containerSecurityContext.runAsUser | int | `1001` | runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
-| postgresql.primary.podSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC |
-| postgresql.primary.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
-| postgresql.volumePermissions.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above |
+| postgres | object | `{"affinity":{},"auth":{"database":"defectdojo","existingSecret":"defectdojo-postgres-specific","password":"","secretKeys":{"adminPasswordKey":"postgres-password"},"username":"defectdojo"},"containerSecurityContext":{"runAsUser":1001},"enabled":true,"nodeSelector":{},"persistence":{"containerSecurityContext":{"runAsUser":1001},"enabled":false},"podSecurityContext":{"fsGroup":1001},"service":{"port":5432},"shmVolume":{"chmod":{"enabled":false}}}` | For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-postgres/postgres |
+| postgres.containerSecurityContext.runAsUser | int | `1001` | runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
+| postgres.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `postgresServer` below |
+| postgres.persistence.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above |
+| postgres.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
+| postgresServer | string | `nil` | To use an external PostgreSQL instance (like CloudSQL), set `postgres.enabled` to false, set items in `postgres.auth` part for authentication, and set the address here: |
 | redisParams | string | `""` | Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redisScheme` is `rediss` |
 | redisPort | int | `6379` | Define the protocol to use with the external Redis instance |
 | redisScheme | string | `"redis"` | Define the protocol to use with the external Redis instance |

@@ -95,7 +95,7 @@ helm install \
   --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \
   --set createSecret=true \
   --set createValkeySecret=true \
-  --set createPostgresqlSecret=true
+  --set createPostgresSecret=true
 ```
 
 It usually takes up to a minute for the services to startup and the
@@ -281,7 +281,7 @@ helm install \
   --set django.ingress.secretName="minikube-tls" \
   --set createSecret=true \
   --set createValkeySecret=true \
-  --set createPostgresqlSecret=true
+  --set createPostgresSecret=true
 
 # For high availability deploy multiple instances of Django, Celery and Valkey
 helm install \
@@ -296,7 +296,7 @@ helm install \
   --set valkey.replicaCount=3 \
   --set createSecret=true \
   --set createValkeySecret=true \
-  --set createPostgresqlSecret=true
+  --set createPostgresSecret=true
 
 # Run highly available PostgreSQL cluster
 # for production environment.
@@ -310,12 +310,12 @@ helm install \
   --set valkey.architecture=replication \
   --set valkey.replicaCount=3 \
   --set django.ingress.secretName="minikube-tls" \
-  --set postgresql.enabled=true \
-  --set postgresql.replication.enabled=true \
-  --set postgresql.replication.slaveReplicas=3 \
+  --set postgres.enabled=true \
+  --set postgres.replication.enabled=true \
+  --set postgres.replication.slaveReplicas=3 \
   --set createSecret=true \
   --set createValkeySecret=true \
-  --set createPostgresqlSecret=true
+  --set createPostgresSecret=true
 
 # Note: If you run `helm install defectdojo before, you will get an error
 # message like `Error: release defectdojo failed: secrets "defectdojo" already
@@ -393,7 +393,7 @@ Sample secret template (replace the placeholders with your PostgreSQL credential
 apiversion: v1
 kind: Secret
 metadata:  
-  name: defectdojo-postgresql-specific  
+  name: defectdojo-postgres-specific  
 type: Opaque
 stringData:  # I chose stringData for better visualization of the credentials for debugging
   password: <user-password>
@@ -435,9 +435,7 @@ postgresql:
     database: defectdojo # your database name
     secretKeys: 
       adminPasswordKey: password # the name of the field containing the password value
-      userPasswordKey: password # the name of the field containing the password value
-      replicationPasswordKey: password # the name of the field containing the password value
-    existingSecret: defectdojo-postgresql-specific # the secret containing your database password
+    existingSecret: defectdojo-postgres-specific # the secret containing your database password
 
 extraEnv:
 # Overwrite the database endpoint
@@ -489,7 +487,7 @@ helm uninstall defectdojo
 To remove persistent objects not removed by uninstall (this will remove any database):
 
 ```
-kubectl delete secrets defectdojo defectdojo-redis-specific defectdojo-postgresql-specific
+kubectl delete secrets defectdojo defectdojo-redis-specific defectdojo-postgres-specific
 kubectl delete serviceAccount defectdojo
 kubectl delete pvc data-defectdojo-redis-0 data-defectdojo-postgresql-0
 ```