feat: improve Helm chart #12691
feat: improve Helm chart #12691
Conversation
- Add extraInitContainers to celery+django deployments. - Add extraEnv to all deployments - Remove existing volume logic in favor of agnostic extraVolumes and extraVolumeMounts - Fix optional secret mounts + reference - Update bitnami chart reference (OCI) - Bump up redis chart
|
This pull request reveals multiple security vulnerabilities in the DefectDojo Helm chart, including weak TLS configuration, potential arbitrary configuration and environment variable injection, optional critical secret keys, and potential information disclosure in logs, which could compromise the application's security and data integrity if exploited.
Weak TLS Configuration by Default in
|
| Vulnerability | Weak TLS Configuration by Default |
|---|---|
| Description | The Helm chart configures the Celery broker connection to Redis with ssl_cert_reqs=optional by default when TLS is enabled. This setting means that the client will not verify the server's certificate, making the connection vulnerable to Man-in-the-Middle (MitM) attacks. While the user can override this setting, the insecure default poses a risk. |
django-DefectDojo/helm/defectdojo/templates/configmap.yaml
Lines 29 to 35 in 3f502ad
Arbitrary Configuration Injection in helm/defectdojo/templates/configmap.yaml
| Vulnerability | Arbitrary Configuration Injection |
|---|---|
| Description | The Helm chart allows arbitrary key-value pairs to be injected into the main ConfigMap via the .Values.extraConfigs parameter. The content is directly rendered using toYaml without validation, meaning an operator could inject malicious or overriding configuration values, potentially compromising the application's security. For example, an attacker could override DD_SECRET_KEY or DD_CREDENTIAL_AES_256_KEY if they have control over the Helm chart values. |
django-DefectDojo/helm/defectdojo/templates/configmap.yaml
Lines 55 to 60 in 3f502ad
Arbitrary Environment Variable Injection in Initializer in helm/defectdojo/templates/initializer-job.yaml
| Vulnerability | Arbitrary Environment Variable Injection in Initializer |
|---|---|
| Description | The initializer-job.yaml template uses toYaml on .Values.initializer.extraEnv, allowing arbitrary environment variables to be injected into the initializer job's environment. This job executes Django database migrations (manage.py migrate). An attacker capable of controlling Helm values could inject malicious environment variables, potentially overriding critical database connection parameters (e.g., host, port, user, database name). |
django-DefectDojo/helm/defectdojo/templates/initializer-job.yaml
Lines 145 to 161 in 3f502ad
Optional Critical Secret Keys in helm/defectdojo/templates/django-deployment.yaml
| Vulnerability | Optional Critical Secret Keys |
|---|---|
| Description | The Helm chart for DefectDojo allows DD_SECRET_KEY and DD_CREDENTIAL_AES_256_KEY to be marked as optional: true when sourced from Kubernetes secrets. This means that the application pods can start even if these critical security keys are not provided. In a Django application, SECRET_KEY is fundamental for cryptographic operations like session management and CSRF protection. Similarly, DD_CREDENTIAL_AES_256_KEY is crucial for encrypting sensitive credentials. Allowing these to be optional creates a severe security risk, as the application may fall back to insecure defaults or operate without essential security mechanisms, leading to compromised data integrity, confidentiality, and user authentication. |
django-DefectDojo/helm/defectdojo/templates/django-deployment.yaml
Lines 198 to 219 in 3f502ad
Information Disclosure in Logs in .github/workflows/k8s-tests.yml
| Vulnerability | Information Disclosure in Logs |
|---|---|
| Description | The GitHub Actions workflow in .github/workflows/k8s-tests.yml has been modified to output logs from the uwsgi container when a login screen check fails. This occurs when the HTTP status code is not 200. The kubectl logs command is executed with --tail=30 and targets the uwsgi container specifically. While the logs are limited to the last 30 lines, uwsgi can, under certain failure conditions (e.g., unhandled exceptions, misconfigurations), output sensitive information such as stack traces, internal paths, or environment variable details. If the repository is public, these logs are publicly accessible, potentially aiding an attacker in understanding the application's internal structure and identifying further vulnerabilities. |
django-DefectDojo/.github/workflows/k8s-tests.yml
Lines 132 to 146 in 3f502ad
All finding details can be found in the DryRun Security Dashboard.
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
@fernandezcuesta Thanks for the PR, we'll ask some helm/k8s experienced devs to look at it. In the mean time could you look at the conflicts? Also this seems to be a bigger change, could you look at basing it against the |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
@valentijnscholten done, thanks for having a look at it! I also changed the base to |
helm/defectdojo/Chart.lock
Outdated
| repository: https://charts.bitnami.com/bitnami | ||
| version: 16.7.0 | ||
| repository: oci://registry-1.docker.io/bitnamicharts | ||
| version: 16.7.13 |
There was a problem hiding this comment.
TBH, this is a bit confusing for me. I'm using this chart, and 16.7.13 is automatically selected in the final template even though it is not pinned here. I want to look at this more.
There was a problem hiding this comment.
That was autogenerated after a helm dependency update IIRC but can roll it back
There was a problem hiding this comment.
Sorry for the delay, I had been out for a couple of weeks, plus your PR is changing quite a lot of variables.
This is changing quite critical settings. It should be mentioned in the release notes.
But thank you for this work. I was planning to add some adjustments that you used, but never had enough time.
| @@ -28,7 +28,7 @@ data: | |||
| DD_CELERY_BROKER_USER: '' | |||
| DD_CELERY_BROKER_HOST: {{ if eq .Values.celery.broker "redis" }}{{ template "redis.hostname" . }}{{ end }} | |||
| DD_CELERY_BROKER_PORT: '{{ if eq .Values.celery.broker "redis" }}{{- if ( hasKey .Values.redis "master" ) -}}{{ .Values.redis.master.service.ports.redis }}{{ else }}6379{{ end }}{{- end -}}' | |||
| DD_CELERY_BROKER_PARAMS: '{{ if eq .Values.celery.broker "redis" }}{{- if .Values.redis.transportEncryption.enabled -}}{{ .Values.redis.transportEncryption.params | default "ssl_cert_reqs=optional" }}{{ end }}{{ end }}' | |||
| DD_CELERY_BROKER_PARAMS: '{{ if eq .Values.celery.broker "redis" }}{{- if .Values.redis.tls.enabled -}}{{ .Values.celery.brokerParams | default "ssl_cert_reqs=optional" }}{{ end }}{{ end }}' | |||
There was a problem hiding this comment.
I'm not against moving params to .Values.celery.brokerParams, but they are becoming more general. They should not be used only if .Values.redis.tls.enabled == true
There was a problem hiding this comment.
OK I see your point, changing that!
| name: {{ $fullName }}-extrasecrets | ||
| optional: true |
There was a problem hiding this comment.
I understand why this might look like a typo, but it is not. This definition is right.
{{ $fullName }} contains DD_ADMIN_PASSWORD, DD_CREDENTIAL_AES_256_KEY and DD_SECRET_KEY which are necesseary for init of application.
Values from {{ $fullName }}-extrasecrets are usually not needed for initialization. But we might add them.
| name: {{ $fullName }}-extrasecrets | |
| optional: true | |
| name: {{ $fullName }} | |
| - secretRef: | |
| name: {{ $fullName }}-extrasecrets | |
| optional: true |
or feel free to move values from {{ $fullName }} to
- name: DD_XXX
valueFrom:
secretKeyRef:
name: {{ $fullName }}
key: DD_XXX
optional: trueIt might make more sense to do it the other way around (drop separate loading of DD_CREDENTIAL_AES_256_KEY and DD_SECRET_KEY from all deployments and use there):
- secretRef:
name: {{ $fullName }}On the other hand, DD_ADMIN_PASSWORD is not needed in deployments (only in the initializer). So it might be against the least privilege principle.
Btw, it is probably the reason why the test is failing. DD_ADMIN_PASSWORD was not provided to the initializer, so it used a random password.
| # Additional environment variables injected to the initializer job pods. | ||
| extraEnv: [] | ||
| # Array of additional volume mount points for the initializer job pods. | ||
| extraVolumeMounts: [] |
There was a problem hiding this comment.
You probably wanted to edit also
{{- range .Values.initializer.extraVolumes }}
- name: userconfig-{{ .name }}
{{ .type }}:
{{- if (eq .type "configMap") }}
name: {{ .name }}
{{- else if (eq .type "secret") }}
secretName: {{ .name }}
{{- else if (eq .type "hostPath") }}
type: {{ .pathType | default "Directory" }}
path: {{ .hostPath }}
{{- end }}
{{- end }}and
{{- range .Values.initializer.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
mountPath: {{ .path }}
subPath: {{ .subPath }}
{{- end }}in helm/defectdojo/templates/initializer-job.yaml
| type: {{ .pathType | default "Directory" }} | ||
| path: {{ .hostPath }} | ||
| {{- end }} | ||
| {{- with .Values.celery.beat.extraVolumes }} |
There was a problem hiding this comment.
Probably copy-paste issue
| {{- with .Values.celery.beat.extraVolumes }} | |
| {{- with .Values.celery.worker.extraVolumes }} |
| {{- end }} | ||
| {{- if .Values.celery.annotations }} | ||
| {{- with .Values.celery.worker.annotations }} |
There was a problem hiding this comment.
Some copy-paste typo probably
| {{- with .Values.celery.worker.annotations }} | |
| {{- with .Values.celery.beat.annotations }} |
Plus, this might be the issue in some cases. Until now, .Values.celery.worker.annotations was used to annotate pods created from this
deployment. Annotating deployment with exactly the same annotations might be problematic for somebody.
In the initializer, there are annotations and jobAnnotations. What about a similar approach?
| # @type: array<map> | ||
| extraVolumes: [] | ||
| # Enable liveness probe for Celery worker containers. | ||
| livenessProbe: {} |
| # To use an external Redis instance, set enabled to false and uncomment | ||
| # the line below: | ||
| # redisServer: myrediscluster |
There was a problem hiding this comment.
Moved to the comment in L473:
# To use an external Redis instance, switch enabled to false and set the address in .Values.celery.brokerHost
| @@ -13,12 +13,10 @@ metadata: | |||
| {{- with .Values.extraLabels }} | |||
| {{- toYaml . | nindent 4 }} | |||
| {{- end }} | |||
| {{- if .Values.celery.annotations }} | |||
| {{- with .Values.celery.worker.annotations }} | |||
|
Btw, this fix #7961 |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
github-actions
bot
added
conflicts-detected
and removed
docker
docs
unittests
ui
parser
labels
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
@kiblik Thanks for your detailed review and suggestions. I tried to go through all, but have some doubts about one of them (see inline comments). |
Reasoning behind the logic change for volumes, with the existing behaviour we cannot mount projected volumes (e.g. a secret mount where we want the key names being renamed) or per-container volumeMounts (e.g. nginx emptyDir when readOnlyRootFs is enforced).