fix: add missing resources, securityContext and env entries

helm/defectdojo/README.md

@@ -524,6 +524,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | admin.password | string | `nil` |  |
 | admin.secretKey | string | `nil` |  |
 | admin.user | string | `"admin"` |  |
+| alternativeHosts | list | `[]` |  |
 | annotations | object | `{}` |  |
 | celery.annotations | object | `{}` |  |
 | celery.beat.affinity | object | `{}` |  |
@@ -569,6 +570,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | cloudsql.image.repository | string | `"gcr.io/cloudsql-docker/gce-proxy"` |  |
 | cloudsql.image.tag | string | `"1.37.9"` |  |
 | cloudsql.instance | string | `""` |  |
+| cloudsql.resources | object | `{}` |  |
 | cloudsql.use_private_ip | bool | `false` |  |
 | cloudsql.verbose | bool | `true` |  |
 | createPostgresqlSecret | bool | `false` |  |
@@ -582,7 +584,9 @@ A Helm chart for Kubernetes to install DefectDojo
 | disableHooks | bool | `false` |  |
 | django.affinity | object | `{}` |  |
 | django.annotations | object | `{}` |  |
+| django.extraEnv | list | `[]` |  |
 | django.extraInitContainers | list | `[]` |  |
+| django.extraVolumeMounts | list | `[]` |  |
 | django.extraVolumes | list | `[]` |  |
 | django.ingress.activateTLS | bool | `true` |  |
 | django.ingress.annotations | object | `{}` |  |
@@ -665,12 +669,14 @@ A Helm chart for Kubernetes to install DefectDojo
 | initializer.resources.requests.cpu | string | `"100m"` |  |
 | initializer.resources.requests.memory | string | `"256Mi"` |  |
 | initializer.run | bool | `true` |  |
+| initializer.securityContext.runAsNonRoot | bool | `true` |  |
 | initializer.staticName | bool | `false` |  |
 | initializer.tolerations | list | `[]` |  |
 | monitoring.enabled | bool | `false` |  |
 | monitoring.prometheus.enabled | bool | `false` |  |
 | monitoring.prometheus.image | string | `"nginx/nginx-prometheus-exporter:1.4.2"` |  |
 | monitoring.prometheus.imagePullPolicy | string | `"IfNotPresent"` |  |
+| monitoring.prometheus.resources | object | `{}` |  |
 | networkPolicy.annotations | object | `{}` |  |
 | networkPolicy.egress | list | `[]` |  |
 | networkPolicy.enabled | bool | `false` |  |
@@ -717,6 +723,8 @@ A Helm chart for Kubernetes to install DefectDojo
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.labels | object | `{}` |  |
+| serviceAccount.name | string | `""` |  |
+| siteUrl | string | `""` |  |
 | tag | string | `"latest"` |  |
 | tests.unitTests.resources.limits.cpu | string | `"500m"` |  |
 | tests.unitTests.resources.limits.memory | string | `"512Mi"` |  |

helm/defectdojo/templates/_helpers.tpl

@@ -163,9 +163,13 @@ Create the name of the service account to use
       secretKeyRef:
         name: {{ .Values.postgresql.auth.existingSecret | default "defectdojo-postgresql-specific" }}
         key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey | default "postgresql-password" }}
-  {{- if .Values.extraEnv }}
-  {{- toYaml .Values.extraEnv | nindent 2 }}
+  {{- with.Values.django.extraEnv }}
+    {{- toYaml . | nindent 2 }}
   {{- end }}
   resources:
     {{- toYaml .Values.dbMigrationChecker.resources | nindent 4 }}
+  {{- with .Values.django.extraVolumeMounts }}
+  volumeMounts:
+    {{- . | toYaml | nindent 4 }}
+  {{- end }}
 {{- end -}}

helm/defectdojo/templates/celery-worker-deployment.yaml

@@ -57,12 +57,12 @@ spec:
       - name: {{ . }}
       {{- end }}
       volumes:
-      {{- if  .Values.localsettingspy }}
+      {{- if .Values.localsettingspy }}
       - name: localsettingspy
         configMap:
           name: {{ $fullName }}-localsettingspy
       {{- end }}
-      {{- if  .Values.django.uwsgi.certificates.enabled }}
+      {{- if .Values.django.uwsgi.certificates.enabled }}
       - name: cert-mount
         configMap:
           name: {{ .Values.django.uwsgi.certificates.configName }}

helm/defectdojo/templates/django-deployment.yaml

@@ -101,9 +101,19 @@ spec:
       - name: cloudsql-proxy
         image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
         imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
+        {{- with .Values.django.extraEnv }}
+        env: {{- . | toYaml | nindent 8 }}
+        {{- end }}
+        {{- with .Values.cloudsql.resources }}
+        resources: {{- . | toYaml | nindent 10 }}
+        {{- end }}
         restartPolicy: Always
         securityContext:
+          {{- if .Values.securityContext.enabled }}
+          {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }}
+          {{- else }}
           runAsNonRoot: true
+          {{- end }}
         command: ["/cloud_sql_proxy"]
         args:
         - "-verbose={{ .Values.cloudsql.verbose }}"
@@ -114,9 +124,12 @@ spec:
         {{- if .Values.cloudsql.use_private_ip }}
         - "-ip_address_types=PRIVATE"
         {{- end }}
+        {{- with .Values.django.extraVolumeMounts }}
+        volumeMounts: {{ . | toYaml | nindent 10 }}
+        {{- end }}
       {{- end }}
       {{- if .Values.dbMigrationChecker.enabled }}
-      {{$data := dict "fullName" $fullName }}
+      {{- $data := dict "fullName" $fullName }}
       {{- $newContext := merge . (dict "fullName" $fullName) }}
       {{- include "dbMigrationChecker" $newContext | nindent 6 }}
       {{- end }}
@@ -126,7 +139,13 @@ spec:
       - name: metrics
         image: {{ .Values.monitoring.prometheus.image }}
         imagePullPolicy: {{ .Values.monitoring.prometheus.imagePullPolicy }}
-        command: [ '/usr/bin/nginx-prometheus-exporter', '--nginx.scrape-uri', 'http://127.0.0.1:8080/nginx_status']
+        command:
+        - /usr/bin/nginx-prometheus-exporter
+        - --nginx.scrape-uri
+        - http://127.0.0.1:8080/nginx_status
+        {{- with .Values.django.extraEnv }}
+        env: {{- . | toYaml | nindent 8 }}
+        {{- end }}
         ports:
         - name: http-metrics
           protocol: TCP
@@ -138,6 +157,16 @@ spec:
           periodSeconds: 20
           initialDelaySeconds: 15
           timeoutSeconds: 5
+        {{- with .Values.monitoring.prometheus.resources }}
+        resources: {{- . | toYaml | nindent 10 }}
+        {{- end }}
+        {{- if .Values.securityContext.enabled }}
+        securityContext:
+          {{- .Values.securityContext.djangoSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
+        {{- with .Values.django.extraVolumeMounts }}
+        volumeMounts: {{ . | toYaml | nindent 10 }}
+        {{- end }}
       {{- end }}
       - name: uwsgi
         image: '{{ template "django.uwsgi.repository" . }}:{{ .Values.tag }}'
@@ -159,6 +188,9 @@ spec:
         - name: cert-mount
           mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }}
         {{- end }}
+        {{- with .Values.django.extraVolumeMounts }}
+          {{- . | toYaml | nindent 8 }}
+        {{- end }}
         {{- with .Values.django.uwsgi.extraVolumeMounts }}
           {{- . | toYaml | nindent 8 }}
         {{- end }}
@@ -209,7 +241,7 @@ spec:
           value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }}
         - name: DD_CSRF_COOKIE_SECURE
           value: {{- if or .Values.django.ingress.activateTLS .Values.django.nginx.tls.enabled }} "True" {{- else }} "False" {{- end }}
-        {{- with .Values.extraEnv }}
+        {{- with .Values.django.extraEnv }}
           {{- . | toYaml | nindent 8 }}
         {{- end }}
         {{- with .Values.django.uwsgi.extraEnv }}
@@ -241,6 +273,9 @@ spec:
         volumeMounts:
         - name: run
           mountPath: /run/defectdojo
+        {{- with .Values.django.extraVolumeMounts }}
+          {{- . | toYaml | nindent 8 }}
+        {{- end }}
         {{- with .Values.django.nginx.extraVolumeMounts }}
           {{- . | toYaml | nindent 8 }}
         {{- end }}
@@ -265,7 +300,7 @@ spec:
           value: '{{ .Values.django.nginx.tls.enabled }}'
         - name: GENERATE_TLS_CERTIFICATE
           value: '{{ .Values.django.nginx.tls.generateCertificate }}'
-        {{- with .Values.extraEnv }}
+        {{- with .Values.django.extraEnv }}
           {{- . | toYaml | nindent 8 }}
         {{- end }}
         {{- with .Values.django.nginx.extraEnv }}

helm/defectdojo/templates/initializer-job.yaml

@@ -67,8 +67,10 @@ spec:
         image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
         imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
         restartPolicy: Always
+        {{- if .Values.securityContext.enabled }}
         securityContext:
-          runAsNonRoot: true
+          {{- toYaml .Values.initializer.securityContext | nindent 10 }}
+        {{- end }}
         command: ["/cloud_sql_proxy"]
         args:
         - "-verbose={{ .Values.cloudsql.verbose }}"
@@ -96,7 +98,7 @@ spec:
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.securityContext.enabled }}
         securityContext:
-          {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }}
+          {{- toYaml .Values.initializer.securityContext | nindent 10 }}
         {{- end }}
         envFrom:
         - configMapRef:
@@ -123,7 +125,7 @@ spec:
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.securityContext.enabled }}
         securityContext:
-          {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }}
+          {{- toYaml .Values.initializer.securityContext | nindent 10 }}
         {{- end }}
         volumeMounts:
         {{- if .Values.localsettingspy }}

helm/defectdojo/values.schema.json

@@ -31,6 +31,9 @@
                 }
             }
         },
+        "alternativeHosts": {
+            "type": "array"
+        },
         "annotations": {
             "type": "object"
         },
@@ -224,6 +227,9 @@
                 "instance": {
                     "type": "string"
                 },
+                "resources": {
+                    "type": "object"
+                },
                 "use_private_ip": {
                     "type": "boolean"
                 },
@@ -288,9 +294,15 @@
                 "annotations": {
                     "type": "object"
                 },
+                "extraEnv": {
+                    "type": "array"
+                },
                 "extraInitContainers": {
                     "type": "array"
                 },
+                "extraVolumeMounts": {
+                    "type": "array"
+                },
                 "extraVolumes": {
                     "type": "array"
                 },
@@ -658,6 +670,14 @@
                 "run": {
                     "type": "boolean"
                 },
+                "securityContext": {
+                    "type": "object",
+                    "properties": {
+                        "runAsNonRoot": {
+                            "type": "boolean"
+                        }
+                    }
+                },
                 "staticName": {
                     "type": "boolean"
                 },
@@ -683,6 +703,9 @@
                         },
                         "imagePullPolicy": {
                             "type": "string"
+                        },
+                        "resources": {
+                            "type": "object"
                         }
                     }
                 }
@@ -944,9 +967,15 @@
                 },
                 "labels": {
                     "type": "object"
+                },
+                "name": {
+                    "type": "string"
                 }
             }
         },
+        "siteUrl": {
+            "type": "string"
+        },
         "tag": {
             "type": "string"
         },

helm/defectdojo/values.yaml

@@ -55,12 +55,13 @@ networkPolicy:
 host: defectdojo.default.minikube.local
 
 # The full URL to your defectdojo instance, depends on the domain where DD is deployed, it also affects links in Jira
+siteUrl: ""
 # siteUrl: 'https://<yourdomain>'
 
 # optional list of alternative hostnames to use that gets appended to
 # DD_ALLOWED_HOSTS. This is necessary when your local hostname does not match
 # the global hostname.
-# alternativeHosts:
+alternativeHosts: []
 #  - defectdojo.example.com
 imagePullPolicy: Always
 # Where to pull the defectDojo images from. Defaults to "defectdojo/*" repositories on hub.docker.com
@@ -94,7 +95,7 @@ serviceAccount:
 
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  # name: ""
+  name: ""
 
   # Optional additional annotations to add to the DefectDojo's Service Account.
   annotations: {}
@@ -139,7 +140,8 @@ monitoring:
     enabled: false
     image: nginx/nginx-prometheus-exporter:1.4.2
     imagePullPolicy: IfNotPresent
-
+    # Optional: add resource requests/limits for the nginx prometheus exporter container
+    resources: {}
 annotations: {}
 
 secrets:
@@ -339,8 +341,12 @@ django:
       certMountPath: /certs/
       certFileName: ca.crt
 
+  # Additional environment variables injected to all Django containers and initContainers.
+  extraEnv: []
   # A list of additional initContainers to run before the uwsgi and nginx containers.
   extraInitContainers: []
+  # Array of additional volume mount points common to all containers and initContainers.
+  extraVolumeMounts: []
   # A list of extra volumes to mount.
   extraVolumes: []
 
@@ -378,6 +384,8 @@ initializer:
     limits:
       cpu: 2000m
       memory: 512Mi
+  securityContext:
+    runAsNonRoot: true
   # Additional environment variables injected to the initializer job pods.
   extraEnv: []
   # Array of additional volume mount points for the initializer job (init)containers.
@@ -449,6 +457,8 @@ cloudsql:
   enable_iam_login: false
   # whether to use a private IP to connect to the database
   use_private_ip: false
+  # Optional: add resource requests/limits for the CloudSQL proxy container
+  resources: {}
 
 # Settings to make running the chart on GKE simpler
 gke: