Merge branch 'dev' into valkey-compose

Author: valentijnscholten

.github/workflows/test-helm-chart.yml

@@ -68,6 +68,10 @@ jobs:
       - name: Check update of "artifacthub.io/changes" HELM annotation
         if: env.changed == 'true'
         run: |
+          # fast fail if `git show` fails
+          set -e
+          set -o pipefail
+
           target_branch=${{ env.ct-branch }}
 
           echo "Checking Chart.yaml annotation changes"
@@ -76,10 +80,10 @@ jobs:
           current_annotation=$(yq e '.annotations."artifacthub.io/changes"' "helm/defectdojo/Chart.yaml")
 
           # Get target branch version of Chart.yaml annotation
-          target_annotation=$(git show "${{ env.ct-branch }}:helm/defectdojo/Chart.yaml" | yq e '.annotations."artifacthub.io/changes"' -)
+          target_annotation=$(git show "origin/${{ env.ct-branch }}:helm/defectdojo/Chart.yaml" | yq e '.annotations."artifacthub.io/changes"' -)
 
           if [[ "$current_annotation" == "$target_annotation" ]]; then
-            echo "::error file=helm/defectdojo/Chart.yaml::The 'artifacthub.io/changes' annotation has not been updated compared to ${{ env.ct-branch }}"
+            echo "::error::The HELM chart has been updated but the 'artifacthub.io/changes' annotation in 'Chart.yaml' has not been changed (compared to '${{ env.ct-branch }}' branch)"
             exit 1
           fi
 

docs/content/en/open_source/upgrading/2.52.md

@@ -2,9 +2,11 @@
 title: 'Upgrading to DefectDojo Version 2.52.x'
 toc_hide: true
 weight: -20250804
-description: Replaced Redis with Valkey
+description: Replaced Redis with Valkey & Helm chart changes.
 ---
 
+## Valkey
+
 Since the license change at Redis the fork ValKey has become widely popular and is backed by industry giants such as AWS. AWS is advising to use ValKey over Redis and is using lower prices for ValKey compared to Redis.
 
 Defect Dojo 2.52 now uses ValKey as a message broker. Teh existing redit volume can be used by Valkey, so this is just a drop in replacement.
@@ -31,4 +33,34 @@ If you want to be 110% sure no tasks will be lost you could perform the upgrade
 `docker compose pull`
 `docker compose up -d`
 
-There are no special instructions for upgrading to 2.52.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.52.0) for the contents of the release.
+## Helm Chart Changes
+
+This release introduces more important changes to the Helm chart configuration:
+
+### Breaking changes
+
+#### Security context
+
+This Helm chart extends security context capabilities to all deployed pods and containers.
+You can define a default pod and container security context globally using `securityContext.podSecurityContext` and `securityContext.containerSecurityContext` keys.
+Additionally, each deployment can specify its own pod and container security contexts, which will override or merge with the global ones. 
+
+#### Fine-grained resources
+
+Now each container can specify the resource requests and limits.
+
+#### Moved values
+
+The following Helm chart values have been modified in this release:
+
+- `securityContext.djangoSecurityContext` → deprecated in favor of container-specific security contexts (`celery.beat.containerSecurityContext`, `celery.worker.containerSecurityContext`, `django.uwsgi.containerSecurityContext` and `dbMigrationChecker.containerSecurityContext`)
+- `securityContext.nginxSecurityContext` → deprecated in favor of container-specific security contexts (`django.nginx.containerSecurityContext`)
+
+### Other changes
+
+- **Extra annotations**: Now we can add common annotations to all resources.
+
+There are other instructions for upgrading to 2.52.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.52.0) for the contents of the release.
+
+## Releas notes
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.52.0) for the contents of the release.

helm/defectdojo/README.md

@@ -524,17 +524,19 @@ A Helm chart for Kubernetes to install DefectDojo
 | admin.password | string | `""` |  |
 | admin.secretKey | string | `""` |  |
 | admin.user | string | `"admin"` |  |
-| annotations | object | `{}` |  |
+| alternativeHosts | list | `[]` |  |
 | celery.annotations | object | `{}` |  |
 | celery.beat.affinity | object | `{}` |  |
 | celery.beat.annotations | object | `{}` |  |
+| celery.beat.containerSecurityContext | object | `{}` |  |
 | celery.beat.extraEnv | list | `[]` |  |
 | celery.beat.extraInitContainers | list | `[]` |  |
 | celery.beat.extraVolumeMounts | list | `[]` |  |
 | celery.beat.extraVolumes | list | `[]` |  |
 | celery.beat.livenessProbe | object | `{}` |  |
 | celery.beat.nodeSelector | object | `{}` |  |
 | celery.beat.podAnnotations | object | `{}` |  |
+| celery.beat.podSecurityContext | object | `{}` |  |
 | celery.beat.readinessProbe | object | `{}` |  |
 | celery.beat.replicas | int | `1` |  |
 | celery.beat.resources.limits.cpu | string | `"2000m"` |  |
@@ -548,13 +550,15 @@ A Helm chart for Kubernetes to install DefectDojo
 | celery.worker.affinity | object | `{}` |  |
 | celery.worker.annotations | object | `{}` |  |
 | celery.worker.appSettings.poolType | string | `"solo"` |  |
+| celery.worker.containerSecurityContext | object | `{}` |  |
 | celery.worker.extraEnv | list | `[]` |  |
 | celery.worker.extraInitContainers | list | `[]` |  |
 | celery.worker.extraVolumeMounts | list | `[]` |  |
 | celery.worker.extraVolumes | list | `[]` |  |
 | celery.worker.livenessProbe | object | `{}` |  |
 | celery.worker.nodeSelector | object | `{}` |  |
 | celery.worker.podAnnotations | object | `{}` |  |
+| celery.worker.podSecurityContext | object | `{}` |  |
 | celery.worker.readinessProbe | object | `{}` |  |
 | celery.worker.replicas | int | `1` |  |
 | celery.worker.resources.limits.cpu | string | `"2000m"` |  |
@@ -563,26 +567,35 @@ A Helm chart for Kubernetes to install DefectDojo
 | celery.worker.resources.requests.memory | string | `"128Mi"` |  |
 | celery.worker.startupProbe | object | `{}` |  |
 | celery.worker.tolerations | list | `[]` |  |
+| cloudsql.containerSecurityContext | object | `{}` |  |
 | cloudsql.enable_iam_login | bool | `false` |  |
 | cloudsql.enabled | bool | `false` |  |
+| cloudsql.extraEnv | list | `[]` |  |
+| cloudsql.extraVolumeMounts | list | `[]` |  |
 | cloudsql.image.pullPolicy | string | `"IfNotPresent"` |  |
 | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` |  |
 | cloudsql.image.tag | string | `"1.37.9"` |  |
 | cloudsql.instance | string | `""` |  |
+| cloudsql.resources | object | `{}` |  |
 | cloudsql.use_private_ip | bool | `false` |  |
 | cloudsql.verbose | bool | `true` |  |
 | createPostgresqlSecret | bool | `false` |  |
 | createRedisSecret | bool | `false` |  |
 | createSecret | bool | `false` |  |
+| dbMigrationChecker.containerSecurityContext | object | `{}` |  |
 | dbMigrationChecker.enabled | bool | `true` |  |
+| dbMigrationChecker.extraEnv | list | `[]` |  |
+| dbMigrationChecker.extraVolumeMounts | list | `[]` |  |
 | dbMigrationChecker.resources.limits.cpu | string | `"200m"` |  |
 | dbMigrationChecker.resources.limits.memory | string | `"200Mi"` |  |
 | dbMigrationChecker.resources.requests.cpu | string | `"100m"` |  |
 | dbMigrationChecker.resources.requests.memory | string | `"100Mi"` |  |
 | disableHooks | bool | `false` |  |
 | django.affinity | object | `{}` |  |
 | django.annotations | object | `{}` |  |
+| django.extraEnv | list | `[]` |  |
 | django.extraInitContainers | list | `[]` |  |
+| django.extraVolumeMounts | list | `[]` |  |
 | django.extraVolumes | list | `[]` |  |
 | django.ingress.activateTLS | bool | `true` |  |
 | django.ingress.annotations | object | `{}` |  |
@@ -598,6 +611,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.mediaPersistentVolume.persistentVolumeClaim.size | string | `"5Gi"` |  |
 | django.mediaPersistentVolume.persistentVolumeClaim.storageClassName | string | `""` |  |
 | django.mediaPersistentVolume.type | string | `"emptyDir"` |  |
+| django.nginx.containerSecurityContext.runAsUser | int | `1001` |  |
 | django.nginx.extraEnv | list | `[]` |  |
 | django.nginx.extraVolumeMounts | list | `[]` |  |
 | django.nginx.resources.limits.cpu | string | `"2000m"` |  |
@@ -607,6 +621,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.nginx.tls.enabled | bool | `false` |  |
 | django.nginx.tls.generateCertificate | bool | `false` |  |
 | django.nodeSelector | object | `{}` |  |
+| django.podSecurityContext.fsGroup | int | `1001` |  |
 | django.replicas | int | `1` |  |
 | django.service.annotations | object | `{}` |  |
 | django.service.type | string | `""` |  |
@@ -619,6 +634,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.uwsgi.certificates.certMountPath | string | `"/certs/"` |  |
 | django.uwsgi.certificates.configName | string | `"defectdojo-ca-certs"` |  |
 | django.uwsgi.certificates.enabled | bool | `false` |  |
+| django.uwsgi.containerSecurityContext.runAsUser | int | `1001` |  |
 | django.uwsgi.enableDebug | bool | `false` |  |
 | django.uwsgi.extraEnv | list | `[]` |  |
 | django.uwsgi.extraVolumeMounts | list | `[]` |  |
@@ -644,6 +660,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.uwsgi.startupProbe.periodSeconds | int | `5` |  |
 | django.uwsgi.startupProbe.successThreshold | int | `1` |  |
 | django.uwsgi.startupProbe.timeoutSeconds | int | `1` |  |
+| extraAnnotations | object | `{}` |  |
 | extraConfigs | object | `{}` |  |
 | extraEnv | list | `[]` |  |
 | extraLabels | object | `{}` |  |
@@ -656,13 +673,15 @@ A Helm chart for Kubernetes to install DefectDojo
 | imagePullSecrets | string | `nil` |  |
 | initializer.affinity | object | `{}` |  |
 | initializer.annotations | object | `{}` |  |
+| initializer.containerSecurityContext | object | `{}` |  |
 | initializer.extraEnv | list | `[]` |  |
 | initializer.extraVolumeMounts | list | `[]` |  |
 | initializer.extraVolumes | list | `[]` |  |
 | initializer.jobAnnotations | object | `{}` |  |
 | initializer.keepSeconds | int | `60` |  |
 | initializer.labels | object | `{}` |  |
 | initializer.nodeSelector | object | `{}` |  |
+| initializer.podSecurityContext | object | `{}` |  |
 | initializer.resources.limits.cpu | string | `"2000m"` |  |
 | initializer.resources.limits.memory | string | `"512Mi"` |  |
 | initializer.resources.requests.cpu | string | `"100m"` |  |
@@ -672,9 +691,13 @@ A Helm chart for Kubernetes to install DefectDojo
 | initializer.tolerations | list | `[]` |  |
 | localsettingspy | string | `""` |  |
 | monitoring.enabled | bool | `false` |  |
+| monitoring.prometheus.containerSecurityContext | object | `{}` |  |
 | monitoring.prometheus.enabled | bool | `false` |  |
+| monitoring.prometheus.extraEnv | list | `[]` |  |
+| monitoring.prometheus.extraVolumeMounts | list | `[]` |  |
 | monitoring.prometheus.image | string | `"nginx/nginx-prometheus-exporter:1.4.2"` |  |
 | monitoring.prometheus.imagePullPolicy | string | `"IfNotPresent"` |  |
+| monitoring.prometheus.resources | object | `{}` |  |
 | networkPolicy.annotations | object | `{}` |  |
 | networkPolicy.egress | list | `[]` |  |
 | networkPolicy.enabled | bool | `false` |  |
@@ -715,12 +738,14 @@ A Helm chart for Kubernetes to install DefectDojo
 | repositoryPrefix | string | `"defectdojo"` |  |
 | revisionHistoryLimit | int | `10` |  |
 | secrets.annotations | object | `{}` |  |
-| securityContext.djangoSecurityContext.runAsUser | int | `1001` |  |
+| securityContext.containerSecurityContext.runAsNonRoot | bool | `true` |  |
 | securityContext.enabled | bool | `true` |  |
-| securityContext.nginxSecurityContext.runAsUser | int | `1001` |  |
+| securityContext.podSecurityContext.runAsNonRoot | bool | `true` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.labels | object | `{}` |  |
+| serviceAccount.name | string | `""` |  |
+| siteUrl | string | `""` |  |
 | tag | string | `"latest"` |  |
 | tests.unitTests.resources.limits.cpu | string | `"500m"` |  |
 | tests.unitTests.resources.limits.memory | string | `"512Mi"` |  |