feat: improve Helm chart

.github/workflows/k8s-tests.yml

@@ -109,17 +109,17 @@ jobs:
                  echo "INFO: status:"
                  kubectl get pods
                  echo "INFO: logs:"
-                 kubectl logs  --selector=$3 --all-containers=true
+                 kubectl logs --selector=$3 --all-containers=true
                  exit 1
                fi
                return ${?}
              }
              echo "Waiting for init job..."
-             to_complete  "condition=Complete" job "defectdojo.org/component=initializer"
+             to_complete "condition=Complete" job "defectdojo.org/component=initializer"
              echo "Waiting for celery pods..."
-             to_complete  "condition=ready" pod "defectdojo.org/component=celery"
+             to_complete "condition=ready" pod "defectdojo.org/component=celery"
              echo "Waiting for django pod..."
-             to_complete  "condition=ready" pod "defectdojo.org/component=django"
+             to_complete "condition=ready" pod "defectdojo.org/component=django"
              echo "Pods up and ready to rumbole"
              kubectl get pods
              RETRY=0
@@ -133,15 +133,15 @@ jobs:
                     --max-time 20 \
                     --head \
                     --header "Host: $DD_HOSTNAME" \
-                    http://$DJANGO_IP/login?next=/)
+                    "http://${DJANGO_IP}/login?next=/")
                echo $OUT
-               CR=`echo $OUT | egrep "^HTTP" | cut -d' ' -f2`
+               CR=$(echo $OUT | egrep "^HTTP" | cut -d' ' -f2)
                echo $CR
                if [[ $CR -ne 200 ]]; then
                   echo $RETRY
                   if [[ $RETRY -gt 2 ]]; then
                     kubectl get pods
-                    echo `kubectl logs --tail=30 -l defectdojo.org/component=django -c uwsgi`
+                    echo $(kubectl logs --tail=30 -l defectdojo.org/component=django -c uwsgi)
                     echo "ERROR: cannot display login screen; got HTTP code $CR"
                     exit 1
                   else
@@ -166,7 +166,7 @@ jobs:
                  --data-raw "username=admin&password=$ADMIN_PASS" \
                  --output /dev/null \
                  --write-out "%{http_code}\n" \
-                 http://$DJANGO_IP/api/v2/api-token-auth/)
+                 "http://${DJANGO_IP}/api/v2/api-token-auth/")
              echo $CR
              if [[ $CR -ne 200 ]]; then
               echo "ERROR: login is not possible; got HTTP code $CR"
@@ -175,8 +175,8 @@ jobs:
               echo "Result received"
              fi
              echo "Final Check of components"
-             errors=`kubectl get pods | grep Error | awk '{print  $1}'`
-             if [[ ! -z  $errors ]]; then
+             errors=$(kubectl get pods | grep Error | awk '{print $1}')
+             if [[ ! -z $errors ]]; then
                echo "Few pods with errors"
                for line in $errors; do
                  echo "Dumping log from $line"

docs/content/en/open_source/upgrading/2.50.md

@@ -2,10 +2,54 @@
 title: 'Upgrading to DefectDojo Version 2.50.x'
 toc_hide: true
 weight: -20250804
-description: Dropped support for time_zone in System settings.
+description: Dropped support for time_zone in System settings and Helm chart changes.
 ---
 
+## time_zone changes
+
 To simplify the management of the DefectDojo application, it is not necessary to set the time zone in two places (environmental variables and system settings). From now on, environmental variable is supported.
 Please check that the environmental variable `DD_TIME_ZONE` is set based on your satisfaction. Any [TZ identifier](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) is a valid value. Default value is `UTC`.
 
+## Helm Chart Changes
+
+This release introduces several important changes to the Helm chart configuration:
+
+### Breaking changes
+
+#### Volume Management Improvements
+
+- **Streamlined volume configuration**: The existing volume logic has been removed and replaced with more flexible `extraVolumes` and `extraVolumeMounts` options that provide deployment-agnostic volume management.
+
+> The previous volume implementation prevented mounting projected volumes (such as secret mounts with renamed key names) and per-container volume mounts (like nginx emptyDir when readOnlyRootFs is enforced).
+> The new approach resolves these limitations.
+
+#### Moved values
+
+The following Helm chart values have been modified in this release:
+
+- `redis.transportEncryption.enabled` → `redis.tls.enabled` (aligned with upstream Helm chart)
+- `redis.scheme` → `redis.sentinel.enabled` (controls deployment mode and aligns with upstream chart)
+- `redis.redisServer` → `redisServer` (prevents potential schema conflicts with upstream chart)
+- `redis.transportEncryption.params` → `redisParams` (prevents potential schema conflicts with upstream chart)
+- `postgresql.postgresServer` → `postgresServer` (prevents potential schema conflicts with upstream chart)
+
+### New features
+
+#### Container and Environment Enhancements
+
+- **Added extraInitContainers support**: Both Celery and Django deployments now support additional init containers through the `extraInitContainers` configuration option.
+- **Enhanced probe configuration for Celery**: Added support for customizing liveness, readiness, and startup probes in both Celery beat and worker deployments.
+- **Enhanced environment variable management**: All deployments now include `extraEnv` support for adding custom environment variables. For backwards compatibility, `.Values.extraEnv` can be used to inject common environment variables to all workloads.
+
+### Other changes
+
+- **Celery pod annotations**: Now we can add annotations to Celery beat/worker pods separately.
+- **Flexible secret deployment**: Added the capability to deploy secrets as regular (non-hooked) resources to address compatibility issues encountered with CI/CD tools (such as ArgoCD).
+- **Optional secret references**: Some secret references are now optional, allowing the chart to function even when certain secrets are not created.
+- **Fixed secret mounting**: Resolved issues with optional secret mounts and references.
+- **Updated Bitnami chart reference**: Migrated to OCI (Open Container Initiative) format for the Bitnami chart dependency.
+- **Improved code organization**: Minor Helm chart refactoring to enhance readability and maintainability.
+
+---
+
 There are other instructions for upgrading to 2.50.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.50.0) for the contents of the release.

helm/defectdojo/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 16.7.0
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 16.7.15
 - name: redis
-  repository: https://charts.bitnami.com/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
   version: 19.6.4
-digest: sha256:20147b5ef71e728a24b1ce410bfbc64885bb824bac17d75dc3ad49e9af5f1b01
-generated: "2025-05-08T15:21:14.221601771Z"
+digest: sha256:b7190cec386cfc905413b0e7638bcafac0f6c19f1b0dc0b1bd768c09cf8dc295
+generated: "2025-07-02T07:45:06.165441283+02:00"

helm/defectdojo/Chart.yaml

@@ -11,9 +11,9 @@ maintainers:
 dependencies:
   - name: postgresql
     version: ~16.7.0
-    repository: "https://charts.bitnami.com/bitnami"
+    repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
   - name: redis
     version: ~19.6.0
-    repository: "https://charts.bitnami.com/bitnami"
+    repository: oci://registry-1.docker.io/bitnamicharts
     condition: redis.enabled

helm/defectdojo/templates/_helpers.tpl

@@ -53,15 +53,16 @@ Create the name of the service account to use
 {{-   printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
 {{-  end -}}
 {{- else -}}
-{{-  printf "%s" ( .Values.postgresql.postgresServer | default "127.0.0.1" ) -}}
+{{- .Values.postgresServer | default "127.0.0.1" | quote -}}
 {{- end -}}
 {{- end -}}
+
 {{- define "redis.hostname" -}}
 {{- if eq .Values.celery.broker "redis" -}}
 {{- if .Values.redis.enabled -}}
 {{- printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
-{{- printf "%s" (.Values.celery.brokerHost | default .Values.redis.redisServer) -}}
+{{- .Values.redisServer | default "127.0.0.1" | quote -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
@@ -71,9 +72,9 @@ Create the name of the service account to use
 */}}
 {{- define "redis.scheme" -}}
 {{- if eq .Values.celery.broker "redis" -}}
-{{- if .Values.redis.transportEncryption.enabled -}}
+{{- if .Values.redis.tls.enabled -}}
 {{- printf "rediss" -}}
-{{- else if eq .Values.redis.scheme "sentinel" -}}
+{{- else if .Values.redis.sentinel.enabled -}}
 {{- printf "sentinel" -}}
 {{- else -}}
 {{- printf "redis" -}}

helm/defectdojo/templates/celery-beat-deployment.yaml

@@ -11,18 +11,16 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     helm.sh/chart: {{ include "defectdojo.chart" . }}
     {{- with .Values.extraLabels }}
-        {{- toYaml . | nindent 4 }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
-{{- if .Values.celery.annotations }}
+  {{- with mergeOverwrite .Values.celery.annotations .Values.celery.beat.annotations }}
   annotations:
-{{- with .Values.celery.annotations }}
-  {{- toYaml . | nindent 4 }}
-{{- end }}
-{{- end }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   replicas: {{ .Values.celery.beat.replicas }}
-  {{- if .Values.revisionHistoryLimit }}
-  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- with .Values.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ . }}
   {{- end }}
   selector:
     matchLabels:
@@ -44,7 +42,7 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-      {{- with .Values.celery.beat.annotations }}
+      {{- with mergeOverwrite .Values.celery.annotations .Values.celery.beat.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- if eq (.Values.trackConfig | default "disabled") "enabled" }}
@@ -54,9 +52,9 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ include "defectdojo.serviceAccountName" . }}
-      {{- if .Values.imagePullSecrets }}
+      {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
-      - name: {{ .Values.imagePullSecrets }}
+      - name: {{ . }}
       {{- end }}
       volumes:
       - name: run
@@ -71,22 +69,16 @@ spec:
         configMap:
           name: {{ .Values.django.uwsgi.certificates.configName }}
       {{- end }}
-      {{- range .Values.celery.extraVolumes }}
-      - name: userconfig-{{ .name }}
-        {{ .type }}:
-          {{- if (eq .type "configMap") }}
-          name: {{ .name }}
-          {{- else if (eq .type "secret") }}
-          secretName: {{ .name }}
-          {{- else if (eq .type "hostPath") }}
-          type: {{ .pathType | default "Directory" }}
-          path: {{ .hostPath }}
-          {{- end }}
+      {{- with .Values.celery.beat.extraVolumes }}
+        {{- . | toYaml | nindent 6 }}
       {{- end }}
-      {{- if or .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled }}
+      {{- if coalesce .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled .Values.celery.beat.extraInitContainers }}
       initContainers:
+      {{- range .Values.celery.beat.extraInitContainers }}
+      - {{- . | toYaml | nindent 8 }}
+      {{- end }}
       {{- end }}
-      {{- if .Values.cloudsql.enabled  }}
+      {{- if .Values.cloudsql.enabled }}
       - name: cloudsql-proxy
         image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
         imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
@@ -115,6 +107,15 @@ spec:
         name: celery
         image: "{{ template "celery.repository" . }}:{{ .Values.tag }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        {{- with .Values.celery.beat.livenessProbe }}
+        livenessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.beat.readinessProbe }}
+        readinessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.beat.startupProbe }}
+        startupProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
         {{- if .Values.securityContext.enabled }}
         securityContext:
           {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }}
@@ -128,15 +129,12 @@ spec:
           mountPath: /app/dojo/settings/local_settings.py
           subPath: file
         {{- end }}
-        {{- if  .Values.django.uwsgi.certificates.enabled }}
+        {{- if .Values.django.uwsgi.certificates.enabled }}
         - name: cert-mount
           mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }}
         {{- end }}
-        {{- range .Values.celery.extraVolumes }}
-        - name: userconfig-{{ .name }}
-          readOnly: true
-          mountPath: {{ .path }}
-          subPath: {{ .subPath }}
+        {{- with .Values.celery.beat.extraVolumeMounts }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         envFrom:
         - configMapRef:
@@ -162,8 +160,12 @@ spec:
             secretKeyRef:
               name: {{ $fullName }}
               key: DD_SECRET_KEY
+              optional: true
         {{- with .Values.extraEnv }}
-          {{- toYaml . | nindent 8 }}
+          {{- . | toYaml | nindent 8 }}
+        {{- end }}
+        {{- with .Values.celery.beat.extraEnv }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         resources:
           {{- toYaml .Values.celery.beat.resources | nindent 10 }}