Skip to content

fix(helm): merge extraAnnotations with init job annotations#13677

Merged
Maffooch merged 5 commits intoDefectDojo:devfrom
qlimenoque:fix/init-job-extra-annotations
Nov 15, 2025
Merged

fix(helm): merge extraAnnotations with init job annotations#13677
Maffooch merged 5 commits intoDefectDojo:devfrom
qlimenoque:fix/init-job-extra-annotations

Conversation

@qlimenoque
Copy link
Copy Markdown
Contributor

@qlimenoque qlimenoque commented Nov 11, 2025
edited
Loading

Description

Merges global extraAnnotations with initializer job's podAnnotations to ensure consistent annotation handling across all DefectDojo resources.

Changes

  • Renamed initializer.annotations to initializer.podAnnotations for clarity
  • Updated initializer job template to merge extraAnnotations with podAnnotations
  • Both annotation sets are now properly applied to the pod template
  • Bumped chart version from 1.8.1 to 1.9.0

⚠️ Breaking Change

This change is not backward compatible:

  • initializer.annotations has been renamed to initializer.podAnnotations
  • initializer.jobAnnotations affects the Job spec metadata
  • initializer.podAnnotations affects the Pod template metadata within the Job

Users must update their values.yaml to use initializer.podAnnotations instead of initializer.annotations.

Migration

If you were using:

initializer:
  annotations:
    foo: bar

Update to:

initializer:
  podAnnotations:
    foo: bar

@github-actions github-actions Bot added the helm label Nov 11, 2025
@qlimenoque qlimenoque force-pushed the fix/init-job-extra-annotations branch 2 times, most recently from a4cb6bb to c51686e Compare November 11, 2025 12:53
@kiblik
Copy link
Copy Markdown
Contributor

kiblik commented Nov 11, 2025
edited
Loading

Can you fix failed GHA, please? Update of schema, docs and release notes are needed.

@valentijnscholten
Copy link
Copy Markdown
Member

valentijnscholten commented Nov 11, 2025

@qlimenoque And can you base the PR against the dev branch.

@kiblik
Copy link
Copy Markdown
Contributor

kiblik commented Nov 11, 2025

Can you fix failed GHA, please? Update of schema, docs and release notes are needed.

Plus https://github.com/DefectDojo/django-DefectDojo/blob/dev/docs/content/en/open_source/upgrading/2.53.md

@qlimenoque qlimenoque changed the base branch from master to dev November 12, 2025 16:09
@qlimenoque qlimenoque force-pushed the fix/init-job-extra-annotations branch from c51686e to 61bdce7 Compare November 12, 2025 16:10
@qlimenoque qlimenoque force-pushed the fix/init-job-extra-annotations branch from 3380ca2 to ee5965a Compare November 12, 2025 16:23
@github-actions github-actions Bot added the docs label Nov 12, 2025
@qlimenoque qlimenoque force-pushed the fix/init-job-extra-annotations branch from 1c8f1d5 to ecede09 Compare November 12, 2025 16:28
@kiblik
Copy link
Copy Markdown
Contributor

kiblik commented Nov 13, 2025

@qlimenoque, keys in helm/defectdojo/values.schema.json are alphabetically ordered, so a simple rename is not enough. Can you move it to the right place?
Or feel free to use the method described in related GHA:

django-DefectDojo/.github/workflows/test-helm-chart.yml

Lines 143 to 146 in b9836f2

# The HELM structure supports the existence of a `values.schema.json` file. This file is used to validate all values provided by the user before Helm starts rendering templates.
# The chart needs to have a `values.schema.json` file that is compatible with the default `values.yaml` file.
# If this step fails, install https://github.com/losisin/helm-values-schema-json and run locally `helm schema --use-helm-docs` in `helm/defectdojo` before committing your changes.
# The helm schema will be generated for you.

@qlimenoque
Copy link
Copy Markdown
Contributor Author

qlimenoque commented Nov 13, 2025
edited
Loading

@kiblik thanks for pointing out the instruction!
I actually found the Helm schema plugin myself, but I used helm schema without the --use-helm-docs flag, which kept deleting the description field from the schema. I assumed the project used a different tool and ended up just renaming it 😀

It might be helpful to include this instruction in the README.md inside the Helm chart directory
It’s much harder to spot when it’s only mentioned in a CI step

@qlimenoque qlimenoque force-pushed the fix/init-job-extra-annotations branch from e24eec0 to 8fe8674 Compare November 13, 2025 10:34
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Nov 13, 2025

DryRun Security

This pull request introduces a generic podAnnotations field in helm/defectdojo/values.schema.json that allows arbitrary annotations to be set on the initializer pod, which could be abused (for example to disable Istio sidecar injection or influence Pod Security Admission) to bypass security controls even though the job is short‑lived. While marked non‑blocking, this change raises a policy‑bypass risk if untrusted users can control Helm values.

Potential for Policy Bypass via Unrestricted Pod Annotations in helm/defectdojo/values.schema.json
Vulnerability Potential for Policy Bypass via Unrestricted Pod Annotations
Description The introduction of the podAnnotations field in values.schema.json as a generic object allows users to set arbitrary annotations on the initializer pod. This creates a potential for policy bypass if an attacker can influence the Helm values. Specific annotations (e.g., sidecar.istio.io/inject: "false") can be used to disable security features like service mesh sidecar injection, leading to unauthorized network access or circumvention of security policies. Other annotations could potentially influence Pod Security Admission or other admission controllers, leading to privilege escalation or other security compromises. While the initializer job is short-lived, the actions it performs can have significant and lasting security implications.

django-DefectDojo/helm/defectdojo/values.schema.json

Lines 967 to 969 in 8fe8674

"podAnnotations": {
"type": "object"
},

All finding details can be found in the DryRun Security Dashboard.

kiblik
kiblik approved these changes Nov 13, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@kiblik kiblik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kiblik kiblik mentioned this pull request Nov 13, 2025
Merged
mtesauro
mtesauro approved these changes Nov 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten added this to the 2.53.0 milestone Nov 14, 2025
@Maffooch Maffooch merged commit 5e9f1ae into DefectDojo:dev Nov 15, 2025
151 checks passed
Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@qlimenoque
fix(helm): merge extraAnnotations with init job annotations (DefectDo…
8478254 
…jo#13677)

* fix(helm): merge extraAnnotations with init job annotations

* fix: artifacthub annotation

* docs: 2.53 upgrade instructions

* docs(helm): update readme

* fix: values schema
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@kiblik kiblik kiblik approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees

No one assigned

Labels

docs helm

Projects

None yet

Milestone

2.53.0

Development

Successfully merging this pull request may close these issues.

5 participants

@qlimenoque @kiblik @valentijnscholten @mtesauro @Maffooch