diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 95ad585fef9..a96dbfa7bee 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -73,8 +73,8 @@ jobs: --set images.nginx.image.tag=latest \ --set imagePullPolicy=Never \ --set initializer.keepSeconds="-1" \ - --set redis.enabled=true \ - --set createRedisSecret=true \ + --set valkey.enabled=true \ + --set createValkeySecret=true \ --set postgresql.enabled=true \ --set createPostgresqlSecret=true \ --set createSecret=true diff --git a/docs/content/en/open_source/upgrading/2.53.md b/docs/content/en/open_source/upgrading/2.53.md index 6fe8977f174..b6970b87fc9 100644 --- a/docs/content/en/open_source/upgrading/2.53.md +++ b/docs/content/en/open_source/upgrading/2.53.md @@ -2,20 +2,54 @@ title: 'Upgrading to DefectDojo Version 2.53.x' toc_hide: true weight: -20251103 -description: Helm chart changes - +description: "Helm chart: changes for initializer annotations + Replaced Redis with Valkey + HPA & PDB support" --- ## Helm Chart Changes -This release introduces an important change to the Helm chart configuration for the initializer job and support for HPA and PDB. +- This release introduces an important change to the Helm chart configuration for the initializer job. +- DefectDojo `2.52.0` replaced Redis with Valkey in `docker-compose` deployment. DefectDojo `2.53.0` (chart `1.9.0`) is replacing it in HELM charts. +- Add support for HPA and PDB -### New values +#### HPA & PDA Added Helm chart support for Celery and Django deployments for Horizontal Pod Autoscaler using `.autoscaling` fields under each section. And Pod Disruption Budget using `.podDisruptionBudget` for any of Celery Beat/Worker or Django deploy ### Breaking changes +#### Valkey + +##### Renamed values + +HELM values had been changed to the following: +- `createRedisSecret` → `createValkeySecret` +- `redis.enabled` → `valkey.enabled` +- `redis.auth.existingSecret` → `valkey.auth.existingSecret`, plus value is pointing to secret `defectdojo-valkey-specific` now +- `redis.auth.existingSecretPasswordKey` → `valkey.auth.existingSecretPasswordKey`, plus value is pointing to secret `valkey-password` now +- `redis.auth.password` → `valkey.auth.password` +- `redis.master.service.ports.redis` → `valkey.service.port` +- `redis.sentinel...` → `valkey.sentinel...` +- `redis.tls...` → `valkey.tls...` + +The whole subchart is based on [`cloudpirates-valkey`](https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey), so all additional values can be found there. + +If an external Redis instance is being used, set the parameter `valkey.enabled` to `False`. The parameters `redisServer` and `redisParams` remain available and function as before. Additionally, `redisScheme` and `redisPort` have been introduced to accommodate users requiring these configurations. + +##### How to migrate to Valkey + +0. As always, perform a backup of your instance +1. If you would like to be 100% sure that you do not miss any async event (triggered deduplication, email notification, ...) it is recommended to perform the following substeps (if your system is not in production and/or you are willing to miss some notifications or postpone deduplication to a later time, feel free to skip these substeps) + 0. Perform the following steps with your previous version of HELM chart (not with the upgraded one - you might lose your data) + 1. Downscale all producers of async tasks: + - Set `django.replicas` to 0 (if you used HPA, adjust it based on your needs) + - Set `celery.beat.replicas` to 0 (if you used HPA, adjust it based on your needs) + - Do not change `celery.worker.replicas` (they are responsible for processing your async tasks) + 2. Wait until the processing queue is empty (choose one of the following methods): + - ``kubectl exec statefulset/defectdojo-redis-master -c redis -- redis-cli -a `kubectl get secret defectdojo-redis-specific -o go-template='{{index .data "redis-password" | base64decode}}'` llen celery`` -- should output 0 (if your HELM chart used a different name, adjust the command based on your environment) + - `kubectl logs deployment/defectdojo-celery-worker -c celery --all-pods=true --follow` -- should stop outputting new task logs +2. Replace values based on the _Renamed values_ part, update the chart version, and set the number of replicas back. Be aware that Valkey is using a password from the new location, and if you use `createRedisSecret`/`createValkeySecret` password will be regenerated. If you stored this password somewhere else, it will not be valid anymore. +3. Enjoy DefectDojo + #### Initializer Annotation Handling - **Renamed initializer annotations**: The `initializer.annotations` field has been renamed to `initializer.podAnnotations` for clarity and consistency with other DefectDojo resources. @@ -23,7 +57,7 @@ Added Helm chart support for Celery and Django deployments for Horizontal Pod Au > The previous implementation did not merge global `extraAnnotations` with the initializer job's pod annotations, causing inconsistencies in annotation management. -#### Moved values +##### Moved values The following Helm chart values have been modified in this release: @@ -31,7 +65,7 @@ The following Helm chart values have been modified in this release: Note: `initializer.jobAnnotations` affects the Job spec metadata, while `initializer.podAnnotations` affects the Pod template metadata within the Job. -#### Migration +##### Migration If you were using: @@ -54,3 +88,5 @@ Both `extraAnnotations` and `initializer.podAnnotations` will now be properly ap ## Reimport updates fields fix_available and fix_version Reimport will update existing findings `fix_available` and `fix_version` fields based on the incoming scan report. + +There are no other special instructions for upgrading to 2.53.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.53.0) for the contents of the release. diff --git a/helm/defectdojo/Chart.lock b/helm/defectdojo/Chart.lock index 53a5c180867..ea0498f4989 100644 --- a/helm/defectdojo/Chart.lock +++ b/helm/defectdojo/Chart.lock @@ -2,8 +2,8 @@ dependencies: - name: postgresql repository: oci://us-docker.pkg.dev/os-public-container-registry/defectdojo version: 16.7.27 -- name: redis - repository: oci://us-docker.pkg.dev/os-public-container-registry/defectdojo - version: 19.6.4 -digest: sha256:b22ad615baaa104a188c735f74ddddaec83b698315bb82f722679f762be64b50 -generated: "2025-08-27T11:22:22.13669-05:00" +- name: valkey + repository: oci://registry-1.docker.io/cloudpirates + version: 0.10.2 +digest: sha256:65773fc2a992a5688995a98ed396ca54de12b88fd7b124459a39961801ae62f3 +generated: "2025-11-25T20:48:39.324383+01:00" diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index be6585cc4f8..66202ee7db2 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -13,10 +13,10 @@ dependencies: version: ~16.7.0 repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo" condition: postgresql.enabled - - name: redis - version: ~19.6.4 - repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo" - condition: redis.enabled + - name: valkey + version: ~0.10.0 + repository: "oci://registry-1.docker.io/cloudpirates" + condition: valkey.enabled # For correct syntax, check https://artifacthub.io/docs/topics/annotations/helm/ # This is example for "artifacthub.io/changes" # artifacthub.io/changes: | @@ -43,3 +43,5 @@ annotations: description: chore(deps)_ update gcr.io/cloudsql_docker/gce_proxy docker tag from 1.37.9 to v1.37.10 (helm/defectdojo/values.yaml) - kind: changed description: chore(deps)_ update nginx/nginx_prometheus_exporter docker tag from 1.4.2 to v1.5.1 (helm/defectdojo/values.yaml) + - kind: changed + description: Replace Redis with Valkey diff --git a/helm/defectdojo/README.md b/helm/defectdojo/README.md index 88345f92a98..fbb4e0bbbcc 100644 --- a/helm/defectdojo/README.md +++ b/helm/defectdojo/README.md @@ -94,7 +94,7 @@ helm install \ --set django.ingress.enabled=${DJANGO_INGRESS_ENABLED} \ --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \ --set createSecret=true \ - --set createRedisSecret=true \ + --set createValkeySecret=true \ --set createPostgresqlSecret=true ``` @@ -280,10 +280,10 @@ helm install \ --set host="defectdojo.${TLS_CERT_DOMAIN}" \ --set django.ingress.secretName="minikube-tls" \ --set createSecret=true \ - --set createRedisSecret=true \ + --set createValkeySecret=true \ --set createPostgresqlSecret=true -# For high availability deploy multiple instances of Django, Celery and Redis +# For high availability deploy multiple instances of Django, Celery and Valkey helm install \ defectdojo \ ./helm/defectdojo \ @@ -292,9 +292,10 @@ helm install \ --set django.ingress.secretName="minikube-tls" \ --set django.replicas=3 \ --set celery.worker.replicas=3 \ - --set redis.replicas=3 \ + --set valkey.architecture=replication \ + --set valkey.replicaCount=3 \ --set createSecret=true \ - --set createRedisSecret=true \ + --set createValkeySecret=true \ --set createPostgresqlSecret=true # Run highly available PostgreSQL cluster @@ -306,13 +307,14 @@ helm install \ --set host="defectdojo.${TLS_CERT_DOMAIN}" \ --set django.replicas=3 \ --set celery.worker.replicas=3 \ - --set redis.replicas=3 \ + --set valkey.architecture=replication \ + --set valkey.replicaCount=3 \ --set django.ingress.secretName="minikube-tls" \ --set postgresql.enabled=true \ --set postgresql.replication.enabled=true \ --set postgresql.replication.slaveReplicas=3 \ --set createSecret=true \ - --set createRedisSecret=true \ + --set createValkeySecret=true \ --set createPostgresqlSecret=true # Note: If you run `helm install defectdojo before, you will get an error @@ -359,16 +361,13 @@ You will still need to set a host value as well. If you want to use a redis-sentinel setup as the Celery broker, you will need to set the following. -1. Set redis.scheme to "sentinel" in values.yaml +1. Set valkey.scheme to "sentinel" in values.yaml 2. Set two additional extraEnv vars specifying the sentinel master name and port in values.yaml ```yaml -celery: - broker: 'redis' - -redis: - redisServer: 'PutYourRedisSentinelAddress' +valkey: scheme: 'sentinel' +redisServer: 'PutYourRedisSentinelAddress' extraEnv: - name: DD_CELERY_BROKER_TRANSPORT_OPTIONS @@ -451,10 +450,10 @@ extraEnv: #### Step 4: Deploy DefectDojo -After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Redis: +After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Valkey: ```bash -helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createRedisSecret=true +helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createValkeySecret=true ``` **NOTE**: It is important to highlight that this setup can also be utilized for achieving high availability (HA) in PostgreSQL. By placing a load balancer in front of the PostgreSQL cluster, read and write requests can be efficiently routed to the appropriate primary or standby servers as needed. @@ -526,8 +525,8 @@ A Helm chart for Kubernetes to install DefectDojo | Repository | Name | Version | |------------|------|---------| +| oci://registry-1.docker.io/cloudpirates | valkey | ~0.10.0 | | oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | postgresql | ~16.7.0 | -| oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | redis | ~19.6.4 | ## Values @@ -564,7 +563,6 @@ A Helm chart for Kubernetes to install DefectDojo | celery.beat.resources.requests.memory | string | `"128Mi"` | | | celery.beat.startupProbe | object | `{}` | Enable startup probe for Celery beat container. | | celery.beat.tolerations | list | `[]` | | -| celery.broker | string | `"redis"` | | | celery.logLevel | string | `"INFO"` | | | celery.worker.affinity | object | `{}` | | | celery.worker.annotations | object | `{}` | Annotations for the Celery worker deployment. | @@ -603,8 +601,8 @@ A Helm chart for Kubernetes to install DefectDojo | cloudsql.use_private_ip | bool | `false` | whether to use a private IP to connect to the database | | cloudsql.verbose | bool | `true` | By default, the proxy has verbose logging. Set this to false to make it less verbose | | createPostgresqlSecret | bool | `false` | create postgresql secret in defectdojo chart, outside of postgresql chart | -| createRedisSecret | bool | `false` | create redis secret in defectdojo chart, outside of redis chart | | createSecret | bool | `false` | create defectdojo specific secret | +| createValkeySecret | bool | `false` | create valkey secret in defectdojo chart, outside of valkey chart | | dbMigrationChecker.containerSecurityContext | object | `{}` | Container security context for the DB migration checker. | | dbMigrationChecker.enabled | bool | `true` | Enable/disable the DB migration checker. | | dbMigrationChecker.extraEnv | list | `[]` | Additional environment variables for DB migration checker. | @@ -750,10 +748,9 @@ A Helm chart for Kubernetes to install DefectDojo | postgresql.primary.podSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC | | postgresql.primary.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. | | postgresql.volumePermissions.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above | -| redis | object | `{"architecture":"standalone","auth":{"existingSecret":"defectdojo-redis-specific","existingSecretPasswordKey":"redis-password","password":""},"enabled":true,"sentinel":{"enabled":false},"tls":{"enabled":false}}` | For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/redis | -| redis.enabled | bool | `true` | To use an external instance, switch enabled to `false`` and set the address in `redisServer` below | -| redis.tls.enabled | bool | `false` | If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates from an existing secret. | -| redisParams | string | `""` | Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redis.tls.enabled` | +| redisParams | string | `""` | Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redisScheme` is `rediss` | +| redisPort | int | `6379` | Define the protocol to use with the external Redis instance | +| redisScheme | string | `"redis"` | Define the protocol to use with the external Redis instance | | redisServer | string | `nil` | To use an external Redis instance, set `redis.enabled` to false and set the address here: | | revisionHistoryLimit | int | `10` | Allow overriding of revisionHistoryLimit across all deployments. | | secrets.annotations | object | `{}` | Add annotations for secret resources | @@ -770,6 +767,11 @@ A Helm chart for Kubernetes to install DefectDojo | tests.unitTests.resources.requests.cpu | string | `"100m"` | | | tests.unitTests.resources.requests.memory | string | `"128Mi"` | | | trackConfig | string | `"disabled"` | Track configuration (trackConfig): will automatically respin application pods in case of config changes detection can be: 1. disabled (default) 2. enabled, enables tracking configuration changes based on SHA256 | +| valkey | object | `{"auth":{"existingSecret":"defectdojo-valkey-specific","existingSecretPasswordKey":"valkey-password","password":""},"enabled":true,"sentinel":{"enabled":false},"service":{"port":6379},"tls":{"enabled":false}}` | For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey | +| valkey.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `redisServer` below | +| valkey.service | object | `{"port":6379}` | To use a different port for Redis (default: 6379) | +| valkey.tls.enabled | bool | `false` | If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates from an existing secret. | +| valkeyParams | string | `""` | Parameters attached to the valkey connection string, defaults to "ssl_cert_reqs=optional" if `valkey.tls.enabled` | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/helm/defectdojo/README.md.gotmpl b/helm/defectdojo/README.md.gotmpl index 2edff657296..b596d0dff6c 100644 --- a/helm/defectdojo/README.md.gotmpl +++ b/helm/defectdojo/README.md.gotmpl @@ -94,7 +94,7 @@ helm install \ --set django.ingress.enabled=${DJANGO_INGRESS_ENABLED} \ --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \ --set createSecret=true \ - --set createRedisSecret=true \ + --set createValkeySecret=true \ --set createPostgresqlSecret=true ``` @@ -280,10 +280,10 @@ helm install \ --set host="defectdojo.${TLS_CERT_DOMAIN}" \ --set django.ingress.secretName="minikube-tls" \ --set createSecret=true \ - --set createRedisSecret=true \ + --set createValkeySecret=true \ --set createPostgresqlSecret=true -# For high availability deploy multiple instances of Django, Celery and Redis +# For high availability deploy multiple instances of Django, Celery and Valkey helm install \ defectdojo \ ./helm/defectdojo \ @@ -292,9 +292,10 @@ helm install \ --set django.ingress.secretName="minikube-tls" \ --set django.replicas=3 \ --set celery.worker.replicas=3 \ - --set redis.replicas=3 \ + --set valkey.architecture=replication \ + --set valkey.replicaCount=3 \ --set createSecret=true \ - --set createRedisSecret=true \ + --set createValkeySecret=true \ --set createPostgresqlSecret=true # Run highly available PostgreSQL cluster @@ -306,13 +307,14 @@ helm install \ --set host="defectdojo.${TLS_CERT_DOMAIN}" \ --set django.replicas=3 \ --set celery.worker.replicas=3 \ - --set redis.replicas=3 \ + --set valkey.architecture=replication \ + --set valkey.replicaCount=3 \ --set django.ingress.secretName="minikube-tls" \ --set postgresql.enabled=true \ --set postgresql.replication.enabled=true \ --set postgresql.replication.slaveReplicas=3 \ --set createSecret=true \ - --set createRedisSecret=true \ + --set createValkeySecret=true \ --set createPostgresqlSecret=true # Note: If you run `helm install defectdojo before, you will get an error @@ -359,16 +361,13 @@ You will still need to set a host value as well. If you want to use a redis-sentinel setup as the Celery broker, you will need to set the following. -1. Set redis.scheme to "sentinel" in values.yaml +1. Set valkey.scheme to "sentinel" in values.yaml 2. Set two additional extraEnv vars specifying the sentinel master name and port in values.yaml ```yaml -celery: - broker: 'redis' - -redis: - redisServer: 'PutYourRedisSentinelAddress' +valkey: scheme: 'sentinel' +redisServer: 'PutYourRedisSentinelAddress' extraEnv: - name: DD_CELERY_BROKER_TRANSPORT_OPTIONS @@ -451,10 +450,10 @@ extraEnv: #### Step 4: Deploy DefectDojo -After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Redis: +After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Valkey: ```bash -helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createRedisSecret=true +helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createValkeySecret=true ``` diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl index b6243d6ac19..aaf7981e34e 100644 --- a/helm/defectdojo/templates/_helpers.tpl +++ b/helm/defectdojo/templates/_helpers.tpl @@ -58,27 +58,51 @@ {{- end -}} {{- define "redis.hostname" -}} -{{- if eq .Values.celery.broker "redis" -}} -{{- if .Values.redis.enabled -}} -{{- printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" -}} +{{- if .Values.valkey.enabled -}} +{{- printf "%s-%s" .Release.Name "valkey" | trunc 63 | trimSuffix "-" -}} {{- else -}} {{- .Values.redisServer | default "127.0.0.1" | quote -}} {{- end -}} {{- end -}} + +{{- /* + Determine the default params to use for Redis. +*/}} +{{- define "redis.params" -}} +{{- $redisScheme := include "redis.scheme" . -}} +{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" (eq "rediss" $redisScheme) -}} +{{- if .Values.valkey.enabled -}} +{{- default $defaultBrokerParams .Values.valkeyParams -}} +{{- else -}} +{{- default $defaultBrokerParams .Values.redisParams -}} +{{- end -}} {{- end -}} {{- /* Determine the protocol to use for Redis. */}} {{- define "redis.scheme" -}} -{{- if eq .Values.celery.broker "redis" -}} -{{- if .Values.redis.tls.enabled -}} -{{- printf "rediss" -}} -{{- else if .Values.redis.sentinel.enabled -}} -{{- printf "sentinel" -}} +{{- if .Values.valkey.enabled -}} +{{- if .Values.valkey.tls.enabled -}} +rediss +{{- else if .Values.valkey.sentinel.enabled -}} +sentinel +{{- else -}} +redis +{{- end -}} {{- else -}} -{{- printf "redis" -}} +{{- .Values.redisScheme -}} +{{- end -}} {{- end -}} + +{{- /* + Determine the default port to use for Redis. +*/}} +{{- define "redis.port" -}} +{{- if .Values.valkey.enabled -}} +{{- .Values.valkey.service.port -}} +{{- else -}} +{{- .Values.redisPort -}} {{- end -}} {{- end -}} diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index b1832f71e29..be3c5e84ef0 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -144,10 +144,8 @@ spec: - name: DD_CELERY_BROKER_PASSWORD valueFrom: secretKeyRef: - {{- if eq .Values.celery.broker "redis" }} - name: {{ .Values.redis.auth.existingSecret | default "defectdojo-redis-specific" }} - key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} - {{- end }} + name: {{ .Values.valkey.auth.existingSecret | default "defectdojo-valkey-specific" }} + key: {{ .Values.valkey.auth.existingSecretPasswordKey | default "valkey-password" }} - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index 9acf2cd49c6..30620c91155 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -139,10 +139,8 @@ spec: - name: DD_CELERY_BROKER_PASSWORD valueFrom: secretKeyRef: - {{- if eq .Values.celery.broker "redis" }} - name: {{ .Values.redis.auth.existingSecret| default "defectdojo-redis-specific" }} - key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} - {{- end }} + name: {{ .Values.valkey.auth.existingSecret| default "defectdojo-valkey-specific" }} + key: {{ .Values.valkey.auth.existingSecretPasswordKey | default "valkey-password" }} - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: diff --git a/helm/defectdojo/templates/configmap.yaml b/helm/defectdojo/templates/configmap.yaml index d25926c2c3f..8f1d510a1a4 100644 --- a/helm/defectdojo/templates/configmap.yaml +++ b/helm/defectdojo/templates/configmap.yaml @@ -1,5 +1,6 @@ {{- $fullName := include "defectdojo.fullname" . -}} -{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" .Values.redis.tls.enabled -}} +{{- $redisScheme := include "redis.scheme" . -}} +{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" (eq "rediss" $redisScheme) -}} apiVersion: v1 kind: ConfigMap metadata: @@ -26,11 +27,11 @@ data: DD_ADMIN_LAST_NAME: {{ .Values.admin.LastName | default "User" }} DD_ALLOWED_HOSTS: {{ include "django.allowed_hosts" . }} DD_SITE_URL: {{ .Values.siteUrl | default "http://localhost:8080" }} - DD_CELERY_BROKER_SCHEME: {{ if eq .Values.celery.broker "redis" }}{{ template "redis.scheme" . }}{{ end }} + DD_CELERY_BROKER_SCHEME: {{ template "redis.scheme" . }} DD_CELERY_BROKER_USER: '' - DD_CELERY_BROKER_HOST: {{ if eq .Values.celery.broker "redis" }}{{ template "redis.hostname" . }}{{ end }} - DD_CELERY_BROKER_PORT: '{{ if eq .Values.celery.broker "redis" }}{{- if ( hasKey .Values.redis "master" ) -}}{{ .Values.redis.master.service.ports.redis }}{{ else }}6379{{ end }}{{- end -}}' - DD_CELERY_BROKER_PARAMS: '{{ .Values.redisParams | default $defaultBrokerParams }}' + DD_CELERY_BROKER_HOST: {{ template "redis.hostname" . }} + DD_CELERY_BROKER_PORT: '{{ template "redis.port" . }}' + DD_CELERY_BROKER_PARAMS: '{{ template "redis.params" . }}' DD_CELERY_BROKER_PATH: '{{ .Values.celery.path | default "//" }}' DD_CELERY_LOG_LEVEL: {{ .Values.celery.logLevel }} DD_CELERY_WORKER_POOL_TYPE: {{ .Values.celery.worker.appSettings.poolType | default "solo" }} diff --git a/helm/defectdojo/templates/django-deployment.yaml b/helm/defectdojo/templates/django-deployment.yaml index ff2285908ee..0a5e86ff420 100644 --- a/helm/defectdojo/templates/django-deployment.yaml +++ b/helm/defectdojo/templates/django-deployment.yaml @@ -199,10 +199,8 @@ spec: - name: DD_CELERY_BROKER_PASSWORD valueFrom: secretKeyRef: - {{- if eq .Values.celery.broker "redis" }} - name: {{ .Values.redis.auth.existingSecret | default "defectdojo-redis-specific" }} - key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }} - {{- end }} + name: {{ .Values.valkey.auth.existingSecret | default "defectdojo-valkey-specific" }} + key: {{ .Values.valkey.auth.existingSecretPasswordKey | default "valkey-password" }} {{- if .Values.django.uwsgi.enableDebug }} - name: DD_DEBUG value: 'True' diff --git a/helm/defectdojo/templates/secret-redis.yaml b/helm/defectdojo/templates/secret-redis.yaml deleted file mode 100644 index b2a5a3a84c2..00000000000 --- a/helm/defectdojo/templates/secret-redis.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.createRedisSecret -}} -apiVersion: v1 -kind: Secret -metadata: - annotations: - {{- if (not .Values.disableHooks) }} - helm.sh/resource-policy: keep - helm.sh/hook: "pre-install" - helm.sh/hook-delete-policy: "before-hook-creation" - {{- end }} - {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} - {{ $key }}: {{ quote $value }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "defectdojo.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "defectdojo.chart" . }} - {{- range $key, $value := .Values.extraLabels }} - {{ $key }}: {{ quote $value }} - {{- end }} - name: {{ .Values.redis.auth.existingSecret }} - namespace: {{ .Release.Namespace }} -type: Opaque -data: -{{- if .Values.redis.auth.password }} - {{ .Values.redis.auth.existingSecretPasswordKey }}: {{ .Values.redis.auth.password | b64enc | quote }} -{{- else }} - {{ .Values.redis.auth.existingSecretPasswordKey }}: {{ randAlphaNum 10 | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/helm/defectdojo/templates/secret-valkey.yaml b/helm/defectdojo/templates/secret-valkey.yaml new file mode 100644 index 00000000000..bbfffa3ab78 --- /dev/null +++ b/helm/defectdojo/templates/secret-valkey.yaml @@ -0,0 +1,43 @@ +{{- if .Values.createValkeySecret -}} +apiVersion: v1 +kind: Secret +metadata: + annotations: + {{- if (not .Values.disableHooks) }} + helm.sh/resource-policy: keep + {{- if or (not (lookup "v1" "Secret" .Release.Namespace "defectdojo-redis-specific")) (lookup "v1" "Secret" .Release.Namespace .Values.valkey.auth.existingSecret) }} + helm.sh/hook: "pre-install" + {{- else }} + helm.sh/hook: "pre-upgrade" + {{- end }} + helm.sh/hook-delete-policy: "before-hook-creation" + {{- end }} + {{- range $key, $value := mergeOverwrite dict .Values.extraAnnotations .Values.secrets.annotations }} + {{ $key }}: {{ quote $value }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "defectdojo.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "defectdojo.chart" . }} + {{- range $key, $value := .Values.extraLabels }} + {{ $key }}: {{ quote $value }} + {{- end }} + name: {{ .Values.valkey.auth.existingSecret }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: +{{- if .Values.valkey.auth.password }} + {{ .Values.valkey.auth.existingSecretPasswordKey }}: {{ .Values.valkey.auth.password | b64enc | quote }} +{{- else }} + {{ .Values.valkey.auth.existingSecretPasswordKey }}: {{ randAlphaNum 10 | b64enc | quote }} +{{- end }} +{{- end }} + +--- +{{- if .Values.createRedisSecret -}} +{{- fail "Error: 'createRedisSecret' value is not supported anymore. Because of license reason, DefectDojo migrated to Valkey. Use 'createValkeySecret' instead. To be sure that you Redis is migrated to Valkey correctly, please follow release notes." }} +{{- end }} +{{- if .Values.redis -}} +{{- fail "Error: Redis is not officialy part of DefectDojo stack anymore. If you have any values in `redis:` section in `values.yaml` file, please migrate them to `valkey:` section. If you are using external Redis (or Redis-compatible) instance, related values about your instance needs to be stored in `redisServer` and `redisParams` variables. For more information, please follow release notes." }} +{{- end }} diff --git a/helm/defectdojo/templates/tests/unit-tests.yaml b/helm/defectdojo/templates/tests/unit-tests.yaml index 01fa4cf1041..efa6b2c39c3 100644 --- a/helm/defectdojo/templates/tests/unit-tests.yaml +++ b/helm/defectdojo/templates/tests/unit-tests.yaml @@ -36,10 +36,8 @@ spec: valueFrom: secretKeyRef: # Use broker chart secret - # name: {{ $fullName }}-{{ .Values.celery.broker }} - # Use secret handled outside of the chart - name: defectdojo-{{ .Values.celery.broker }}-specific - key: {{ .Values.celery.broker }}-password + name: defectdojo-valkey-specific + key: valkey-password - name: DD_DATABASE_PASSWORD valueFrom: secretKeyRef: diff --git a/helm/defectdojo/values.schema.json b/helm/defectdojo/values.schema.json index cbd0f7cbfec..ddf4a9be67a 100644 --- a/helm/defectdojo/values.schema.json +++ b/helm/defectdojo/values.schema.json @@ -153,9 +153,6 @@ } } }, - "broker": { - "type": "string" - }, "logLevel": { "type": "string" }, @@ -383,14 +380,14 @@ "description": "create postgresql secret in defectdojo chart, outside of postgresql chart", "type": "boolean" }, - "createRedisSecret": { - "description": "create redis secret in defectdojo chart, outside of redis chart", - "type": "boolean" - }, "createSecret": { "description": "create defectdojo specific secret", "type": "boolean" }, + "createValkeySecret": { + "description": "create valkey secret in defectdojo chart, outside of valkey chart", + "type": "boolean" + }, "dbMigrationChecker": { "type": "object", "properties": { @@ -1323,52 +1320,16 @@ } } }, - "redis": { - "description": "For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/redis", - "type": "object", - "properties": { - "architecture": { - "type": "string" - }, - "auth": { - "type": "object", - "properties": { - "existingSecret": { - "type": "string" - }, - "existingSecretPasswordKey": { - "type": "string" - }, - "password": { - "type": "string" - } - } - }, - "enabled": { - "description": "To use an external instance, switch enabled to `false`` and set the address in `redisServer` below", - "type": "boolean" - }, - "sentinel": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tls": { - "type": "object", - "properties": { - "enabled": { - "description": "If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates from an existing secret.", - "type": "boolean" - } - } - } - } - }, "redisParams": { - "description": "Parameters attached to the redis connection string, defaults to \"ssl_cert_reqs=optional\" if `redis.tls.enabled`", + "description": "Parameters attached to the redis connection string, defaults to \"ssl_cert_reqs=optional\" if `redisScheme` is `rediss`", + "type": "string" + }, + "redisPort": { + "description": "Define the protocol to use with the external Redis instance", + "type": "integer" + }, + "redisScheme": { + "description": "Define the protocol to use with the external Redis instance", "type": "string" }, "redisServer": { @@ -1502,6 +1463,60 @@ "trackConfig": { "description": "Track configuration (trackConfig): will automatically respin application pods in case of config changes detection can be: 1. disabled (default) 2. enabled, enables tracking configuration changes based on SHA256", "type": "string" + }, + "valkey": { + "description": "For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey", + "type": "object", + "properties": { + "auth": { + "type": "object", + "properties": { + "existingSecret": { + "type": "string" + }, + "existingSecretPasswordKey": { + "type": "string" + }, + "password": { + "type": "string" + } + } + }, + "enabled": { + "description": "To use an external instance, switch enabled to `false` and set the address in `redisServer` below", + "type": "boolean" + }, + "sentinel": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "service": { + "description": "To use a different port for Redis (default: 6379)", + "type": "object", + "properties": { + "port": { + "type": "integer" + } + } + }, + "tls": { + "type": "object", + "properties": { + "enabled": { + "description": "If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates from an existing secret.", + "type": "boolean" + } + } + } + } + }, + "valkeyParams": { + "description": "Parameters attached to the valkey connection string, defaults to \"ssl_cert_reqs=optional\" if `valkey.tls.enabled`", + "type": "string" } } } diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 2f154df7858..baf9aeeb618 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -9,8 +9,8 @@ securityContext: # -- create defectdojo specific secret createSecret: false -# -- create redis secret in defectdojo chart, outside of redis chart -createRedisSecret: false +# -- create valkey secret in defectdojo chart, outside of valkey chart +createValkeySecret: false # -- create postgresql secret in defectdojo chart, outside of postgresql chart createPostgresqlSecret: false # -- Track configuration (trackConfig): will automatically respin application pods in case of config changes detection @@ -210,7 +210,6 @@ secrets: # Components celery: - broker: redis logLevel: INFO # -- Common annotations to worker and beat deployments and pods. annotations: {} @@ -632,20 +631,17 @@ gke: # Only works with serviceAccount.create = true workloadIdentityEmail: "" -# -- For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/redis -redis: - # -- To use an external instance, switch enabled to `false`` and set the address in `redisServer` below +# -- For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey +valkey: + # -- To use an external instance, switch enabled to `false` and set the address in `redisServer` below enabled: true auth: - existingSecret: defectdojo-redis-specific - existingSecretPasswordKey: redis-password + existingSecret: defectdojo-valkey-specific + existingSecretPasswordKey: valkey-password password: "" - architecture: standalone - # To use a different port for Redis (default: 6379) add a port number and uncomment the lines below: - # master: - # service: - # ports: - # redis: xxxx + # -- To use a different port for Redis (default: 6379) + service: + port: 6379 # Sentinel configuration parameters sentinel: enabled: false @@ -700,14 +696,20 @@ extraEnv: [] # ``` localsettingspy: "" +# -- Parameters attached to the valkey connection string, defaults to "ssl_cert_reqs=optional" if `valkey.tls.enabled` +valkeyParams: "" # # External database support. # # @schema type:[string, null] # -- To use an external Redis instance, set `redis.enabled` to false and set the address here: redisServer: ~ -# -- Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redis.tls.enabled` +# -- Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redisScheme` is `rediss` redisParams: "" +# -- Define the protocol to use with the external Redis instance +redisPort: 6379 +# -- Define the protocol to use with the external Redis instance +redisScheme: redis # # @schema type:[string, null] # -- To use an external PostgreSQL instance (like CloudSQL), set `postgresql.enabled` to false,