fix(helm): merge extraAnnotations with init job annotations (#13677)

* fix(helm): merge extraAnnotations with init job annotations

* fix: artifacthub annotation

* docs: 2.53 upgrade instructions

* docs(helm): update readme

* fix: values schema

Author: qlimenoque

docs/content/en/open_source/upgrading/2.53.md

@@ -2,9 +2,50 @@
 title: 'Upgrading to DefectDojo Version 2.53.x'
 toc_hide: true
 weight: -20251103
-description: No special instructions.
+description: Helm chart changes for initializer annotations.
 ---
-There are no special instructions for upgrading to 2.53.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.53.0) for the contents of the release.
+
+## Helm Chart Changes
+
+This release introduces an important change to the Helm chart configuration for the initializer job.
+
+### Breaking changes
+
+#### Initializer Annotation Handling
+
+- **Renamed initializer annotations**: The `initializer.annotations` field has been renamed to `initializer.podAnnotations` for clarity and consistency with other DefectDojo resources.
+- **Merged annotation support**: Global `extraAnnotations` are now automatically merged with the initializer's `podAnnotations` to ensure consistent annotation handling across all resources.
+
+> The previous implementation did not merge global `extraAnnotations` with the initializer job's pod annotations, causing inconsistencies in annotation management.
+
+#### Moved values
+
+The following Helm chart values have been modified in this release:
+
+- `initializer.annotations` → `initializer.podAnnotations` (applies to Pod template metadata within the Job)
+
+Note: `initializer.jobAnnotations` affects the Job spec metadata, while `initializer.podAnnotations` affects the Pod template metadata within the Job.
+
+#### Migration
+
+If you were using:
+
+```yaml
+initializer:
+  annotations:
+    foo: bar
+```
+
+Update to:
+
+```yaml
+initializer:
+  podAnnotations:
+    foo: bar
+```
+
+Both `extraAnnotations` and `initializer.podAnnotations` will now be properly applied to the initializer pod.
 
 ## Reimport updates fields fix_available and fix_version
+
 Reimport will update existing findings `fix_available` and `fix_version` fields based on the incoming scan report.

helm/defectdojo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.53.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.8.2-dev
+version: 1.9.0-dev
 icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png
 maintainers:
   - name: madchap
@@ -34,4 +34,6 @@ dependencies:
 #     description: Critical bug
 annotations:
   artifacthub.io/prerelease: "true"
-  artifacthub.io/changes: ""
+  artifacthub.io/changes: |
+    - kind: fixed
+      description: extraAnnotations spec doesn't affect initializer job

helm/defectdojo/README.md

@@ -495,7 +495,7 @@ kubectl delete pvc data-defectdojo-redis-0 data-defectdojo-postgresql-0
 
 # General information about chart values
 
-![Version: 1.8.2-dev](https://img.shields.io/badge/Version-1.8.2--dev-informational?style=flat-square) ![AppVersion: 2.53.0-dev](https://img.shields.io/badge/AppVersion-2.53.0--dev-informational?style=flat-square)
+![Version: 1.9.0-dev](https://img.shields.io/badge/Version-1.9.0--dev-informational?style=flat-square) ![AppVersion: 2.53.0-dev](https://img.shields.io/badge/AppVersion-2.53.0--dev-informational?style=flat-square)
 
 A Helm chart for Kubernetes to install DefectDojo
 
@@ -683,7 +683,6 @@ A Helm chart for Kubernetes to install DefectDojo
 | images.nginx.image.repository | string | `"defectdojo/defectdojo-nginx"` |  |
 | images.nginx.image.tag | string | `""` | If empty, use appVersion. Another possible values are: latest, X.X.X, X.X.X-alpine (where X.X.X is version of DD). For dev builds (only for testing purposes): nightly-dev, nightly-dev-alpine. To see all, check https://hub.docker.com/r/defectdojo/defectdojo-nginx/tags. |
 | initializer.affinity | object | `{}` |  |
-| initializer.annotations | object | `{}` |  |
 | initializer.automountServiceAccountToken | bool | `false` |  |
 | initializer.containerSecurityContext | object | `{}` | Container security context for the initializer Job container |
 | initializer.extraEnv | list | `[]` | Additional environment variables injected to the initializer job pods. |
@@ -694,6 +693,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | initializer.keepSeconds | int | `60` | A positive integer will keep this Job and Pod deployed for the specified number of seconds, after which they will be removed. For all other values, the Job and Pod will remain deployed. |
 | initializer.labels | object | `{}` |  |
 | initializer.nodeSelector | object | `{}` |  |
+| initializer.podAnnotations | object | `{}` |  |
 | initializer.podSecurityContext | object | `{}` | Pod security context for the initializer Job |
 | initializer.resources.limits.cpu | string | `"2000m"` |  |
 | initializer.resources.limits.memory | string | `"512Mi"` |  |

helm/defectdojo/templates/initializer-job.yaml

@@ -36,9 +36,11 @@ spec:
         {{- with .Values.initializer.labels }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
+      {{- with mergeOverwrite dict .Values.extraAnnotations .Values.initializer.podAnnotations }}
       annotations:
-      {{- with .Values.initializer.annotations }}
-        {{- toYaml . | nindent 8 }}
+        {{- range $key, $value := . }}
+        {{ $key }}: {{ quote $value }}
+        {{- end }}
       {{- end }}
     spec:
       {{- if .Values.securityContext.enabled }}

helm/defectdojo/values.schema.json

@@ -914,9 +914,6 @@
                 "affinity": {
                     "type": "object"
                 },
-                "annotations": {
-                    "type": "object"
-                },
                 "automountServiceAccountToken": {
                     "type": "boolean"
                 },
@@ -967,6 +964,9 @@
                 "nodeSelector": {
                     "type": "object"
                 },
+                "podAnnotations": {
+                    "type": "object"
+                },
                 "podSecurityContext": {
                     "description": "Pod security context for the initializer Job",
                     "type": "object"

helm/defectdojo/values.yaml

@@ -486,7 +486,7 @@ initializer:
   run: true
   automountServiceAccountToken: false
   jobAnnotations: {}
-  annotations: {}
+  podAnnotations: {}
   labels: {}
   # -- A positive integer will keep this Job and Pod deployed for the specified number of seconds, after which they will be removed. For all other values, the Job and Pod will remain deployed.
   keepSeconds: 60