feat(helm): Split image locations+tags, allow digest pinning

Author: kiblik

.github/workflows/k8s-tests.yml

@@ -67,6 +67,8 @@ jobs:
                defectdojo \
                ./helm/defectdojo \
                --set django.ingress.enabled=true \
+               --set images.django.image.tag=latest \
+               --set images.nginx.image.tag=latest \
                --set imagePullPolicy=Never \
                --set initializer.keepSeconds="-1" \
                --set redis.enabled=true \

.github/workflows/release-x-manual-helm-chart.yml

@@ -69,16 +69,6 @@ jobs:
              helm dependency list ./helm/defectdojo
              helm dependency update ./helm/defectdojo
 
-      - name: Add yq
-        uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2
-
-      - name: Pin version docker version
-        id: pin_image
-        run: |-
-          yq --version
-          yq -i '.tag="${{ inputs.release_number }}"'  helm/defectdojo/values.yaml
-          echo "Current image tag:`yq -r '.tag' helm/defectdojo/values.yaml`"
-
       - name: Package Helm chart
         id: package-helm-chart
         run: |

docs/content/en/open_source/upgrading/2.52.md

@@ -11,6 +11,13 @@ This release introduces more important changes to the Helm chart configuration:
 
 ### Breaking changes
 
+#### Tags
+
+`tag` and `repositoryPrefix` fields have been deprecated. Currently, image tags used in containers are derived by default from the `appVersion` defined in the Chart.  
+This behavior can be overridden by setting the `tag` value in `images.django` and `images.nginx`.  
+If fine-tuning is necessary, each container’s image value can also be customized individually (`celery.beat.image`, `celery.worker.image`, `django.nginx.image`, `django.uwsgi.image`, `initializer.image`, and `dbMigrationChecker.image`).  
+Digest pinning is now supported as well.
+
 #### Security context
 
 This Helm chart extends security context capabilities to all deployed pods and containers.

helm/defectdojo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.52.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.7.2-dev
+version: 1.8.0-dev
 icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png
 maintainers:
   - name: madchap
@@ -22,3 +22,5 @@ annotations:
   artifacthub.io/changes: |
     - kind: changed
       description: DRY cloudsql-proxy
+    - kind: changed
+      description: Each component allow to specific image + allow digest pinning

helm/defectdojo/README.md

@@ -495,7 +495,7 @@ kubectl delete pvc data-defectdojo-redis-0 data-defectdojo-postgresql-0
 
 # General information about chart values
 
-![Version: 1.7.2-dev](https://img.shields.io/badge/Version-1.7.2--dev-informational?style=flat-square) ![AppVersion: 2.52.0-dev](https://img.shields.io/badge/AppVersion-2.52.0--dev-informational?style=flat-square)
+![Version: 1.8.0-dev](https://img.shields.io/badge/Version-1.8.0--dev-informational?style=flat-square) ![AppVersion: 2.52.0-dev](https://img.shields.io/badge/AppVersion-2.52.0--dev-informational?style=flat-square)
 
 A Helm chart for Kubernetes to install DefectDojo
 
@@ -534,6 +534,10 @@ A Helm chart for Kubernetes to install DefectDojo
 | celery.beat.extraInitContainers | list | `[]` |  |
 | celery.beat.extraVolumeMounts | list | `[]` |  |
 | celery.beat.extraVolumes | list | `[]` |  |
+| celery.beat.image.digest | string | `""` |  |
+| celery.beat.image.registry | string | `""` |  |
+| celery.beat.image.repository | string | `""` |  |
+| celery.beat.image.tag | string | `""` |  |
 | celery.beat.livenessProbe | object | `{}` |  |
 | celery.beat.nodeSelector | object | `{}` |  |
 | celery.beat.podAnnotations | object | `{}` |  |
@@ -557,6 +561,10 @@ A Helm chart for Kubernetes to install DefectDojo
 | celery.worker.extraInitContainers | list | `[]` |  |
 | celery.worker.extraVolumeMounts | list | `[]` |  |
 | celery.worker.extraVolumes | list | `[]` |  |
+| celery.worker.image.digest | string | `""` |  |
+| celery.worker.image.registry | string | `""` |  |
+| celery.worker.image.repository | string | `""` |  |
+| celery.worker.image.tag | string | `""` |  |
 | celery.worker.livenessProbe | object | `{}` |  |
 | celery.worker.nodeSelector | object | `{}` |  |
 | celery.worker.podAnnotations | object | `{}` |  |
@@ -588,6 +596,10 @@ A Helm chart for Kubernetes to install DefectDojo
 | dbMigrationChecker.enabled | bool | `true` |  |
 | dbMigrationChecker.extraEnv | list | `[]` |  |
 | dbMigrationChecker.extraVolumeMounts | list | `[]` |  |
+| dbMigrationChecker.image.digest | string | `""` |  |
+| dbMigrationChecker.image.registry | string | `""` |  |
+| dbMigrationChecker.image.repository | string | `""` |  |
+| dbMigrationChecker.image.tag | string | `""` |  |
 | dbMigrationChecker.resources.limits.cpu | string | `"200m"` |  |
 | dbMigrationChecker.resources.limits.memory | string | `"200Mi"` |  |
 | dbMigrationChecker.resources.requests.cpu | string | `"100m"` |  |
@@ -617,6 +629,10 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.nginx.containerSecurityContext.runAsUser | int | `1001` |  |
 | django.nginx.extraEnv | list | `[]` |  |
 | django.nginx.extraVolumeMounts | list | `[]` |  |
+| django.nginx.image.digest | string | `""` |  |
+| django.nginx.image.registry | string | `""` |  |
+| django.nginx.image.repository | string | `""` |  |
+| django.nginx.image.tag | string | `""` |  |
 | django.nginx.resources.limits.cpu | string | `"2000m"` |  |
 | django.nginx.resources.limits.memory | string | `"256Mi"` |  |
 | django.nginx.resources.requests.cpu | string | `"100m"` |  |
@@ -641,6 +657,10 @@ A Helm chart for Kubernetes to install DefectDojo
 | django.uwsgi.enableDebug | bool | `false` |  |
 | django.uwsgi.extraEnv | list | `[]` |  |
 | django.uwsgi.extraVolumeMounts | list | `[]` |  |
+| django.uwsgi.image.digest | string | `""` |  |
+| django.uwsgi.image.registry | string | `""` |  |
+| django.uwsgi.image.repository | string | `""` |  |
+| django.uwsgi.image.tag | string | `""` |  |
 | django.uwsgi.livenessProbe.enabled | bool | `true` |  |
 | django.uwsgi.livenessProbe.failureThreshold | int | `6` |  |
 | django.uwsgi.livenessProbe.initialDelaySeconds | int | `0` |  |
@@ -674,13 +694,25 @@ A Helm chart for Kubernetes to install DefectDojo
 | host | string | `"defectdojo.default.minikube.local"` |  |
 | imagePullPolicy | string | `"Always"` |  |
 | imagePullSecrets | string | `nil` |  |
+| images.django.image.digest | string | `""` |  |
+| images.django.image.registry | string | `""` |  |
+| images.django.image.repository | string | `"defectdojo/defectdojo-django"` |  |
+| images.django.image.tag | string | `""` |  |
+| images.nginx.image.digest | string | `""` |  |
+| images.nginx.image.registry | string | `""` |  |
+| images.nginx.image.repository | string | `"defectdojo/defectdojo-nginx"` |  |
+| images.nginx.image.tag | string | `""` |  |
 | initializer.affinity | object | `{}` |  |
 | initializer.annotations | object | `{}` |  |
 | initializer.automountServiceAccountToken | bool | `false` |  |
 | initializer.containerSecurityContext | object | `{}` |  |
 | initializer.extraEnv | list | `[]` |  |
 | initializer.extraVolumeMounts | list | `[]` |  |
 | initializer.extraVolumes | list | `[]` |  |
+| initializer.image.digest | string | `""` |  |
+| initializer.image.registry | string | `""` |  |
+| initializer.image.repository | string | `""` |  |
+| initializer.image.tag | string | `""` |  |
 | initializer.jobAnnotations | object | `{}` |  |
 | initializer.keepSeconds | int | `60` |  |
 | initializer.labels | object | `{}` |  |
@@ -699,7 +731,10 @@ A Helm chart for Kubernetes to install DefectDojo
 | monitoring.prometheus.enabled | bool | `false` |  |
 | monitoring.prometheus.extraEnv | list | `[]` |  |
 | monitoring.prometheus.extraVolumeMounts | list | `[]` |  |
-| monitoring.prometheus.image | string | `"nginx/nginx-prometheus-exporter:1.4.2"` |  |
+| monitoring.prometheus.image.digest | string | `""` |  |
+| monitoring.prometheus.image.registry | string | `""` |  |
+| monitoring.prometheus.image.repository | string | `"nginx/nginx-prometheus-exporter"` |  |
+| monitoring.prometheus.image.tag | string | `"1.4.2"` |  |
 | monitoring.prometheus.imagePullPolicy | string | `"IfNotPresent"` |  |
 | monitoring.prometheus.resources | object | `{}` |  |
 | networkPolicy.annotations | object | `{}` |  |
@@ -739,7 +774,6 @@ A Helm chart for Kubernetes to install DefectDojo
 | redis.tls.enabled | bool | `false` |  |
 | redisParams | string | `""` |  |
 | redisServer | string | `nil` |  |
-| repositoryPrefix | string | `"defectdojo"` |  |
 | revisionHistoryLimit | int | `10` |  |
 | secrets.annotations | object | `{}` |  |
 | securityContext.containerSecurityContext.runAsNonRoot | bool | `true` |  |
@@ -750,8 +784,11 @@ A Helm chart for Kubernetes to install DefectDojo
 | serviceAccount.labels | object | `{}` |  |
 | serviceAccount.name | string | `""` |  |
 | siteUrl | string | `""` |  |
-| tag | string | `"latest"` |  |
 | tests.unitTests.automountServiceAccountToken | bool | `false` |  |
+| tests.unitTests.image.digest | string | `""` |  |
+| tests.unitTests.image.registry | string | `""` |  |
+| tests.unitTests.image.repository | string | `""` |  |
+| tests.unitTests.image.tag | string | `""` |  |
 | tests.unitTests.resources.limits.cpu | string | `"500m"` |  |
 | tests.unitTests.resources.limits.memory | string | `"512Mi"` |  |
 | tests.unitTests.resources.requests.cpu | string | `"100m"` |  |

helm/defectdojo/templates/_helpers.tpl

@@ -85,20 +85,64 @@
 {{- /*
   Builds the repository names for use with local or private registries
 */}}
-{{- define "celery.repository" -}}
-{{- printf "%s" .Values.repositoryPrefix -}}/defectdojo-django
+{{- define "celery.beat.image" -}}
+{{ include "images.image" (dict "imageRoot" (merge .Values.celery.beat.image .Values.images.django.image) "global" .Values.global "chart" .Chart ) }}
 {{- end -}}
 
-{{- define "django.nginx.repository" -}}
-{{- printf "%s" .Values.repositoryPrefix -}}/defectdojo-nginx
+{{- define "celery.worker.image" -}}
+{{ include "images.image" (dict "imageRoot" (merge .Values.celery.worker.image .Values.images.django.image) "global" .Values.global "chart" .Chart ) }}
 {{- end -}}
 
-{{- define "django.uwsgi.repository" -}}
-{{- printf "%s" .Values.repositoryPrefix -}}/defectdojo-django
+{{- define "django.nginx.image" -}}
+{{ include "images.image" (dict "imageRoot" (merge .Values.django.nginx.image .Values.images.nginx.image) "global" .Values.global "chart" .Chart ) }}
 {{- end -}}
 
-{{- define "initializer.repository" -}}
-{{- printf "%s" .Values.repositoryPrefix -}}/defectdojo-django
+{{- define "django.uwsgi.image" -}}
+{{ include "images.image" (dict "imageRoot" (merge .Values.django.uwsgi.image .Values.images.django.image) "global" .Values.global "chart" .Chart ) }}
+{{- end -}}
+
+{{- define "initializer.image" -}}
+{{ include "images.image" (dict "imageRoot" (merge .Values.initializer.image .Values.images.django.image) "global" .Values.global "chart" .Chart ) }}
+{{- end -}}
+
+{{- define "dbMigrationChecker.image" -}}
+{{ include "images.image" (dict "imageRoot" (merge .Values.dbMigrationChecker.image .Values.images.django.image) "global" .Values.global "chart" .Chart ) }}
+{{- end -}}
+
+{{- define "unitTests.image" -}}
+{{ include "images.image" (dict "imageRoot" (merge .Values.tests.unitTests.image .Values.images.django.image) "global" .Values.global "chart" .Chart ) }}
+{{- end -}}
+
+{{- define "monitoring.prometheus.image" -}}
+{{ include "images.image" (dict "imageRoot" .Values.monitoring.prometheus.image "global" .Values.global ) }}
+{{- end -}}
+
+{{- /*
+Return the proper image name.
+If image tag and digest are not defined, termination fallbacks to chart appVersion.
+{{ include "images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }}
+Inspired by Bitnami Common Chart v2.31.7
+*/}}
+{{- define "images.image" -}}
+{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := .imageRoot.tag | toString -}}
+
+{{- if not .imageRoot.tag }}
+  {{- if .chart }}
+    {{- $termination = .chart.AppVersion | toString -}}
+  {{- end -}}
+{{- end -}}
+{{- if .imageRoot.digest }}
+    {{- $separator = "@" -}}
+    {{- $termination = .imageRoot.digest | toString -}}
+{{- end -}}
+{{- if $registryName }}
+    {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- else -}}
+    {{- printf "%s%s%s"  $repositoryName $separator $termination -}}
+{{- end -}}
 {{- end -}}
 
 {{- define "initializer.jobname" -}}
@@ -141,7 +185,7 @@
   - sh
   - -c
   - while ! /app/manage.py migrate --check; do echo "Database is not migrated to the latest state yet"; sleep 5; done; echo "Database is migrated to the latest state";
-  image: '{{ template "django.uwsgi.repository" . }}:{{ .Values.tag }}'
+  image: '{{ template "dbMigrationChecker.image" . }}'
   imagePullPolicy: {{ .Values.imagePullPolicy }}
   {{- if .Values.securityContext.enabled }}
   securityContext:

helm/defectdojo/templates/celery-beat-deployment.yaml

@@ -99,7 +99,7 @@ spec:
       - command:
         - /entrypoint-celery-beat.sh
         name: celery
-        image: "{{ template "celery.repository" . }}:{{ .Values.tag }}"
+        image: "{{ template "celery.beat.image" . }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- with .Values.celery.beat.livenessProbe }}
         livenessProbe: {{ toYaml . | nindent 10 }}

helm/defectdojo/templates/celery-worker-deployment.yaml

@@ -95,7 +95,7 @@ spec:
       {{- end }}
       containers:
       - name: celery
-        image: "{{ template "celery.repository" . }}:{{ .Values.tag }}"
+        image: "{{ template "celery.worker.image" . }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- with .Values.celery.worker.livenessProbe }}
         livenessProbe: {{ toYaml . | nindent 10 }}

helm/defectdojo/templates/django-deployment.yaml

@@ -116,7 +116,7 @@ spec:
       containers:
       {{- if and .Values.monitoring.enabled .Values.monitoring.prometheus.enabled }}
       - name: metrics
-        image: {{ .Values.monitoring.prometheus.image }}
+        image: '{{ template "monitoring.prometheus.image" . }}'
         imagePullPolicy: {{ .Values.monitoring.prometheus.imagePullPolicy }}
         command:
         - /usr/bin/nginx-prometheus-exporter
@@ -152,7 +152,7 @@ spec:
         {{- end }}
       {{- end }}
       - name: uwsgi
-        image: '{{ template "django.uwsgi.repository" . }}:{{ .Values.tag }}'
+        image: '{{ template "django.uwsgi.image" . }}'
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.securityContext.enabled }}
         securityContext:
@@ -254,7 +254,7 @@ spec:
         resources:
           {{- toYaml .Values.django.uwsgi.resources | nindent 10 }}
       - name: nginx
-        image: '{{ template "django.nginx.repository" . }}:{{ .Values.tag }}'
+        image: '{{ template "django.nginx.image" . }}'
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.securityContext.enabled }}
         securityContext:

helm/defectdojo/templates/initializer-job.yaml

@@ -82,7 +82,7 @@ spec:
         - '/bin/bash'
         - '-c'
         - '/wait-for-it.sh ${DD_DATABASE_HOST:-postgres}:${DD_DATABASE_PORT:-5432} -t 300 -s -- /bin/echo Database is up'
-        image: '{{ template "django.uwsgi.repository" . }}:{{ .Values.tag }}'
+        image: "{{ template "initializer.image" . }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.securityContext.enabled }}
         securityContext:
@@ -113,7 +113,7 @@ spec:
         {{- end }}
       containers:
       - name: initializer
-        image: "{{ template "initializer.repository" . }}:{{ .Values.tag }}"
+        image: "{{ template "initializer.image" . }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.securityContext.enabled }}
         securityContext: