values.yaml

---
# -- Security context settings
securityContext:
  enabled: true
  containerSecurityContext:
    runAsNonRoot: true
  podSecurityContext:
    runAsNonRoot: true

# -- create defectdojo specific secret
createSecret: false
# -- create valkey secret in defectdojo chart, outside of valkey chart
createValkeySecret: false
# -- create postgresql secret in defectdojo chart, outside of postgresql chart
createPostgresqlSecret: false
# -- Track configuration (trackConfig): will automatically respin application pods in case of config changes detection
# can be:
# 1. disabled (default)
# 2. enabled, enables tracking configuration changes based on SHA256
trackConfig: disabled

# -- Avoid using pre-install hooks, which might cause issues with ArgoCD
disableHooks: false

# -- Annotations globally added to all resources
extraAnnotations: {}
# -- Labels globally added to all resources
extraLabels: {}

images:
  django:
    image:
      registry: ""
      repository: defectdojo/defectdojo-django
      # -- If empty, use appVersion.
      # Another possible values are: latest, X.X.X, X.X.X-debian, X.X.X-alpine (where X.X.X is version of DD).
      # For dev builds (only for testing purposes): nightly-dev, nightly-dev-debian, nightly-dev-alpine.
      # To see all, check https://hub.docker.com/r/defectdojo/defectdojo-django/tags.
      tag: ""
      # -- Prefix "sha256:" is expected in this place
      digest: ""
  nginx:
    image:
      registry: ""
      repository: defectdojo/defectdojo-nginx
      # -- If empty, use appVersion.
      # Another possible values are: latest, X.X.X, X.X.X-alpine (where X.X.X is version of DD).
      # For dev builds (only for testing purposes): nightly-dev, nightly-dev-alpine.
      # To see all, check https://hub.docker.com/r/defectdojo/defectdojo-nginx/tags.
      tag: ""
      # -- Prefix "sha256:" is expected in this place
      digest: ""

# -- Enables application network policy
# For more info follow https://kubernetes.io/docs/concepts/services-networking/network-policies/
networkPolicy:
  enabled: false
  # -- if additional labels need to be allowed (e.g. prometheus scraper)
  # ```
  # ingressExtend:
  #  - podSelector:
  #      matchLabels:
  #      app.kubernetes.io/instance: defectdojo-prometheus
  # ```
  ingressExtend: []
  # -- For more detailed configuration with ports and peers. It will ignore ingressExtend
  # ```
  # ingress:
  #  - from:
  #     - podSelector:
  #         matchLabels:
  #           app.kubernetes.io/instance: defectdojo
  #     - podSelector:
  #         matchLabels:
  #           app.kubernetes.io/instance: defectdojo-prometheus
  #    ports:
  #    - protocol: TCP
  #      port: 8443
  # ```
  ingress: []
  # --
  # ```
  # egress:
  # - to:
  #   - ipBlock:
  #       cidr: 10.0.0.0/24
  #   ports:
  #   - protocol: TCP
  #     port: 443
  # ```
  egress: []
  annotations: {}

# -- Primary hostname of instance
host: defectdojo.default.minikube.local

# -- The full URL to your defectdojo instance, depends on the domain where DD is deployed, it also affects links in Jira.
# Use syntax: `siteUrl: 'https://<yourdomain>'`
siteUrl: ""

# -- optional list of alternative hostnames to use that gets appended to
# DD_ALLOWED_HOSTS. This is necessary when your local hostname does not match
# the global hostname.
alternativeHosts: []
#  - defectdojo.example.com
imagePullPolicy: Always
# @schema type:[string, null]
# -- When using a private registry, name of the secret that holds the registry secret (eg deploy token from gitlab-ci project)
# Create secrets as: kubectl create secret docker-registry defectdojoregistrykey --docker-username=registry_username --docker-password=registry_password --docker-server='https://index.docker.io/v1/'
imagePullSecrets: ~

# -- Additional labels to add to the pods:
# ```
# podLabels:
#   key: value
# ```
podLabels: {}

# -- Allow overriding of revisionHistoryLimit across all deployments.
revisionHistoryLimit: 10

serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true

  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

  # -- Optional additional annotations to add to the DefectDojo's Service Account.
  annotations: {}

  # -- Optional additional labels to add to the DefectDojo's Service Account.
  labels: {}

dbMigrationChecker:
  # -- If empty, uses values from images.django.image
  image:
    registry: ""
    repository: ""
    tag: ""
    digest: ""
  # -- Enable/disable the DB migration checker.
  enabled: true
  # -- Container security context for the DB migration checker.
  containerSecurityContext: {}
  # -- Additional environment variables for DB migration checker.
  extraEnv: []
  # -- Array of additional volume mount points for DB migration checker.
  extraVolumeMounts: []
  # -- Resource requests/limits for the DB migration checker.
  resources:
    requests:
      cpu: 100m
      memory: 100Mi
    limits:
      cpu: 200m
      memory: 200Mi

tests:
  unitTests:
    # -- If empty, uses values from images.django.image
    image:
      registry: ""
      repository: ""
      tag: ""
      digest: ""
    automountServiceAccountToken: false
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 500m
        memory: 512Mi

admin:
  user: admin
  password: ""
  firstName: Administrator
  lastName: User
  mail: admin@defectdojo.local
  secretKey: ""
  credentialAes256Key: ""
  metricsHttpAuthPassword: ""

monitoring:
  enabled: false
  prometheus:
    # -- Add the nginx prometheus exporter sidecar
    enabled: false
    image:
      registry: ""
      repository: nginx/nginx-prometheus-exporter
      tag: "1.5.1"
      digest: ""
    imagePullPolicy: IfNotPresent
    # -- Optional: container security context for nginx prometheus exporter
    containerSecurityContext: {}
    # -- Optional: additional environment variables injected to the nginx prometheus exporter container
    extraEnv: []
    # -- Array of additional volume mount points for the nginx prometheus exporter
    extraVolumeMounts: []
    # -- Optional: add resource requests/limits for the nginx prometheus exporter container
    resources: {}

secrets:
  # -- Add annotations for secret resources
  annotations: {}

# Components
celery:
  logLevel: INFO
  # -- Common annotations to worker and beat deployments and pods.
  annotations: {}
  beat:
    # -- If empty, uses values from images.django.image
    image:
      registry: ""
      repository: ""
      tag: ""
      digest: ""
    automountServiceAccountToken: false
    # -- Annotations for the Celery beat deployment.
    annotations: {}
    affinity: {}
    # -- Container security context for the Celery beat containers.
    containerSecurityContext: {}
    # -- Additional environment variables injected to Celery beat containers.
    extraEnv: []
    # -- A list of additional initContainers to run before celery beat containers.
    extraInitContainers: []
    # -- Array of additional volume mount points for the celery beat containers.
    extraVolumeMounts: []
    # -- A list of extra volumes to mount
    # @type: array<map>
    extraVolumes: []
    # -- Enable liveness probe for Celery beat container.
    # ```
    # exec:
    #   command:
    #     - bash
    #     - -c
    #     - celery -A dojo inspect ping -t 5
    # initialDelaySeconds: 30
    # periodSeconds: 60
    # timeoutSeconds: 10
    # ```
    livenessProbe: {}
    nodeSelector: {}
    # -- Annotations for the Celery beat pods.
    podAnnotations: {}
    # -- Pod security context for the Celery beat pods.
    podSecurityContext: {}
    # -- Enable readiness probe for Celery beat container.
    readinessProbe: {}
    # @schema maximum:1
    # -- Multiple replicas are not allowed (Beat is intended to be a singleton) because scaling to >1 will double-run schedules
    replicas: 1
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 256Mi
    # -- Enable startup probe for Celery beat container.
    startupProbe: {}
    tolerations: []
  worker:
    # -- If empty, uses values from images.django.image
    image:
      registry: ""
      repository: ""
      tag: ""
      digest: ""
    # -- Autoscaling configuration for Celery worker deployment.
    autoscaling:
      enabled: false
      minReplicas: 2
      maxReplicas: 5
      targetCPUUtilizationPercentage: 80
      targetMemoryUtilizationPercentage: 80
      behavior: {}
    automountServiceAccountToken: false
    # -- Annotations for the Celery worker deployment.
    annotations: {}
    affinity: {}
    # -- Container security context for the Celery worker containers.
    containerSecurityContext: {}
    # -- Additional environment variables injected to Celery worker containers.
    extraEnv: []
    # -- A list of additional initContainers to run before celery worker containers.
    extraInitContainers: []
    # -- Array of additional volume mount points for the celery worker containers.
    extraVolumeMounts: []
    # -- A list of extra volumes to mount.
    # @type: array<map>
    extraVolumes: []
    # -- Enable liveness probe for Celery worker containers.
    # ```
    # exec:
    #   command:
    #     - bash
    #     - -c
    #     - celery -A dojo inspect ping -t 5
    # initialDelaySeconds: 30
    # periodSeconds: 60
    # timeoutSeconds: 10
    # ```
    livenessProbe: {}
    nodeSelector: {}
    # -- Annotations for the Celery worker pods.
    podAnnotations: {}
    # -- Configure pod disruption budgets for Celery worker ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget
    podDisruptionBudget:
      enabled: false
      minAvailable: 50%
      unhealthyPodEvictionPolicy: AlwaysAllow
    # -- Pod security context for the Celery worker pods.
    podSecurityContext: {}
    # -- Enable readiness probe for Celery worker container.
    readinessProbe: {}
    replicas: 1
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 512Mi
    # -- Enable startup probe for Celery worker container.
    startupProbe: {}
    #  -- Termination grace period seconds for Celery worker pods.
    terminationGracePeriodSeconds: 300
    tolerations: []
    appSettings:
      # -- Performance improved celery worker config when needing to deal with a lot of findings (e.g deduplication ops)
      # poolType: prefork
      # autoscaleMin: 2
      # autoscaleMax: 8
      # concurrency: 8
      # prefetchMultiplier: 128
      poolType: solo

django:
  # -- Autoscaling configuration for the Django deployment.
  autoscaling:
    enabled: false
    minReplicas: 2
    maxReplicas: 5
    targetCPUUtilizationPercentage: 80
    targetMemoryUtilizationPercentage: 80
    behavior: {}
  automountServiceAccountToken: false
  annotations: {}
  service:
    annotations: {}
    type: ""
  affinity: {}
  # -- Pod security context for the Django pods.
  podSecurityContext:
    fsGroup: 1001
  ingress:
    enabled: true
    ingressClassName: ""
    activateTLS: true
    secretName: defectdojo-tls
    # -- Restricts the type of ingress controller that can interact with our chart (nginx, traefik, ...)
    # `kubernetes.io/ingress.class: nginx`
    # Depending on the size and complexity of your scans, you might want to increase the default ingress timeouts if you see repeated 504 Gateway Timeouts
    # `nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"`
    # `nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"`
    annotations: {}
  # -- Expose the Django service via Gateway API HTTPRoute
  httpRoute:
    enabled: false
    # -- Annotations for the HTTPRoute resource
    annotations: {}
    # -- Parent gateway references for the HTTPRoute
    # parentRefs:
    # - name: my-gateway
    #   namespace: default
    parentRefs: []
  nginx:
    # -- If empty, uses values from images.nginx.image
    image:
      registry: ""
      repository: ""
      tag: ""
      digest: ""
    # -- Container security context for the nginx containers.
    containerSecurityContext:
      # -- nginx dockerfile sets USER=1001
      runAsUser: 1001
    # -- To extra environment variables to the nginx container, you can use extraEnv. For example:
    # extraEnv:
    # - name: FOO
    #   valueFrom:
    #     configMapKeyRef:
    #       name: foo
    #       key: bar
    extraEnv: []
    # -- Array of additional volume mount points for nginx containers.
    extraVolumeMounts: []
    tls:
      enabled: false
      generateCertificate: false
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 256Mi
  nodeSelector: {}
  # -- Configure pod disruption budgets for django ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget
  podDisruptionBudget:
    enabled: false
    minAvailable: 50%
    unhealthyPodEvictionPolicy: AlwaysAllow
  replicas: 1
  strategy: {}
  #  -- Termination grace period seconds for django pods.
  terminationGracePeriodSeconds: 60
  tolerations: []
  uwsgi:
    # -- If empty, uses values from images.django.image
    image:
      registry: ""
      repository: ""
      tag: ""
      digest: ""
    containerSecurityContext:
      # -- django dockerfile sets USER=1001
      runAsUser: 1001
    # -- To add (or override) extra variables which need to be pulled from another configMap, you can
    # use extraEnv. For example:
    # extraEnv:
    # - name: DD_DATABASE_HOST
    #   valueFrom:
    #     configMapKeyRef:
    #       name: my-other-postgres-configmap
    #       key: cluster_endpoint
    extraEnv: []
    # -- Array of additional volume mount points for uwsgi containers.
    extraVolumeMounts: []
    livenessProbe:
      # -- Enable liveness checks on uwsgi container.
      enabled: true
      failureThreshold: 6
      initialDelaySeconds: 0
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 5
    readinessProbe:
      # -- Enable readiness checks on uwsgi container.
      enabled: true
      failureThreshold: 6
      initialDelaySeconds: 0
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 5
    startupProbe:
      # -- Enable startup checks on uwsgi container.
      enabled: true
      failureThreshold: 30
      initialDelaySeconds: 0
      periodSeconds: 5
      successThreshold: 1
      timeoutSeconds: 1
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 2000m
        memory: 512Mi
    appSettings:
      processes: 4
      threads: 4
      # -- Use this value to set the maximum number of file descriptors. If set to 0 will be detected by uwsgi
      # e.g. 102400
      maxFd: 0
    # -- this also requires DD_DEBUG to be set to True
    enableDebug: false
    certificates:
    # -- includes additional CA certificate as volume, it refrences REQUESTS_CA_BUNDLE env varible
    # to create configMap `kubectl create cm defectdojo-ca-certs --from-file=ca.crt`
    # NOTE: it reflects REQUESTS_CA_BUNDLE for celery workers, beats as well
      enabled: false
      configName: defectdojo-ca-certs
      certMountPath: /certs/
      certFileName: ca.crt

  # -- Additional environment variables injected to all Django containers and initContainers.
  extraEnv: []
  # -- A list of additional initContainers to run before the uwsgi and nginx containers.
  extraInitContainers: []
  # -- Array of additional volume mount points common to all containers and initContainers.
  extraVolumeMounts: []
  # -- A list of extra volumes to mount.
  extraVolumes: []

  # -- This feature needs more preparation before can be enabled, please visit KUBERNETES.md#media-persistent-volume
  mediaPersistentVolume:
    enabled: true
    # -- any name
    name: media
    # -- could be emptyDir (not for production) or pvc
    type: emptyDir
    # -- in case if pvc specified, should point to the already existing pvc
    persistentVolumeClaim:
      # -- set to true to create a new pvc and if django.mediaPersistentVolume.type is set to pvc
      create: false
      name: ""
      size: 5Gi
      # -- check KUBERNETES.md doc first for option to choose
      accessModes:
      - ReadWriteMany
      storageClassName: ""

initializer:
  run: true
  automountServiceAccountToken: false
  jobAnnotations: {}
  podAnnotations: {}
  labels: {}
  # -- A positive integer will keep this Job and Pod deployed for the specified number of seconds, after which they will be removed. For all other values, the Job and Pod will remain deployed.
  keepSeconds: 60
  affinity: {}
  nodeSelector: {}
  tolerations: []
  # -- If empty, uses values from images.django.image
  image:
    registry: ""
    repository: ""
    tag: ""
    digest: ""
  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: 2000m
      memory: 512Mi
  # -- Container security context for the initializer Job container
  containerSecurityContext: {}
  # -- Additional environment variables injected to the initializer job pods.
  extraEnv: []
  # -- Array of additional volume mount points for the initializer job (init)containers.
  extraVolumeMounts: []
  # -- A list of extra volumes to attach to the initializer job pods.
  extraVolumes: []
  # -- Pod security context for the initializer Job
  podSecurityContext: {}

  # -- staticName defines whether name of the job will be the same (e.g., "defectdojo-initializer")
  # or different every time - generated based on current time (e.g., "defectdojo-initializer-2024-11-11-18-57")
  # This might be handy for ArgoCD deployments
  staticName: false

# -- For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/postgresql
postgresql:
  # -- To use an external instance, switch enabled to `false` and set the address in `postgresServer` below
  enabled: true
  auth:
    username: defectdojo
    password: ""
    database: defectdojo
    existingSecret: defectdojo-postgresql-specific
    secretKeys:
      adminPasswordKey: postgresql-postgres-password
      userPasswordKey: postgresql-password
      replicationPasswordKey: postgresql-replication-password
  architecture: standalone
  primary:
    name: primary
    persistence:
      enabled: true
    service:
      ports:
        postgresql: 5432
    podSecurityContext:
      # -- Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC
      enabled: true
      # -- fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully.
      fsGroup: 1001
    containerSecurityContext:
      # -- Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC
      enabled: true
      # -- runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully.
      runAsUser: 1001
    affinity: {}
    nodeSelector: {}
  volumePermissions:
    enabled: false
    # -- if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above
    containerSecurityContext:
      runAsUser: 1001
  shmVolume:
    chmod:
      enabled: false

# -- Google CloudSQL support in GKE via gce-proxy
cloudsql:
  # -- To use CloudSQL in GKE set 'enable: true'
  enabled: false
  # -- By default, the proxy has verbose logging. Set this to false to make it less verbose
  verbose: true
  # -- set repo and image tag of gce-proxy
  image:
    repository: gcr.io/cloudsql-docker/gce-proxy
    tag: 1.37.12
    pullPolicy: IfNotPresent
  # -- set CloudSQL instance: 'project:zone:instancename'
  instance: ""
  # -- use IAM database authentication
  enable_iam_login: false
  # -- whether to use a private IP to connect to the database
  use_private_ip: false
  # -- Optional: security context for the CloudSQL proxy container.
  containerSecurityContext: {}
  # -- Additional environment variables for the CloudSQL proxy container.
  extraEnv: []
  # -- Array of additional volume mount points for the CloudSQL proxy container
  extraVolumeMounts: []
  # -- Optional: add resource requests/limits for the CloudSQL proxy container.
  resources: {}

# -- Settings to make running the chart on GKE simpler
gke:
  # -- Set to true to configure the Ingress to use the GKE provided ingress controller
  useGKEIngress: false
  # -- Set to true to have GKE automatically provision a TLS certificate for the host specified
  # Requires useGKEIngress to be set to true
  # When using this option, be sure to set django.ingress.activateTLS to false
  useManagedCertificate: false
  # -- Workload Identity allows the K8s service account to assume the IAM access of a GCP service account to interact with other GCP services
  # Only works with serviceAccount.create = true
  workloadIdentityEmail: ""

# -- For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey
valkey:
  # -- To use an external instance, switch enabled to `false` and set the address in `redisServer` below
  enabled: true
  auth:
    existingSecret: defectdojo-valkey-specific
    existingSecretPasswordKey: valkey-password
    password: ""
  # -- To use a different port for Redis (default: 6379)
  service:
    port: 6379
  # Sentinel configuration parameters
  sentinel:
    enabled: false
  tls:
    # -- If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates
    # from an existing secret.
    enabled: false
    # existingSecret: redis-tls
    # certFilename: tls.crt
    # certKeyFilename: tls.key
    # certCAFilename: ca.crt
  serviceAccount:
    # -- Autocreate dedicated service account (as part of the best practice)
    create: true

# -- To add extra variables not predefined by helm config it is possible to define in extraConfigs block, e.g. below:
# NOTE  Do not store any kind of sensitive information inside of it
# ```
# DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED: 'true'
# DD_SOCIAL_AUTH_AUTH0_KEY: 'dev'
# DD_SOCIAL_AUTH_AUTH0_DOMAIN: 'xxxxx'
# ```
extraConfigs: {}

# -- Extra secrets can be created inside of extraSecrets block:
# NOTE  This is just an exmaple, do not store sensitive data in plain text form, better inject it during the deployment/upgrade by --set extraSecrets.secret=someSecret
# ```
# DD_SOCIAL_AUTH_AUTH0_SECRET: 'xxx'
# ```
extraSecrets: {}

# -- To add (or override) extra variables which need to be pulled from another configMap, you can
# use extraEnv. For example:
# ```
# - name: DD_DATABASE_HOST
#   valueFrom:
#     configMapKeyRef:
#       name: my-other-postgres-configmap
#       key: cluster_endpoint
# ```
extraEnv: []

# -- To add code snippet which would extend setting functionality, you might add it here
# It will be stored as ConfigMap and mounted `dojo/settings/local_settings.py`.
# For more see: https://documentation.defectdojo.com/getting_started/configuration/
# For example:
# ```
# localsettingspy: |
#   INSTALLED_APPS += (
#     'debug_toolbar',
#   )
#   MIDDLEWARE = [
#       'debug_toolbar.middleware.DebugToolbarMiddleware',
#   ] + MIDDLEWARE
# ```
localsettingspy: ""

# -- Parameters attached to the valkey connection string, defaults to "ssl_cert_reqs=optional" if `valkey.tls.enabled`
valkeyParams: ""
#
# External database support.
#
# @schema type:[string, null]
# -- To use an external Redis instance, set `valkey.enabled` to false and set the address here:
redisServer: ~
# -- Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redisScheme` is `rediss`
redisParams: ""
# -- Define the protocol to use with the external Redis instance
redisPort: 6379
# -- Define the protocol to use with the external Redis instance
redisScheme: redis
#
# @schema type:[string, null]
# -- To use an external PostgreSQL instance (like CloudSQL), set `postgresql.enabled` to false,
# set items in `postgresql.auth` part for authentication, and set the address here:
postgresServer: ~