Harmonize helm

[JGodin-C2C]

Description

Harmonize the different labels in the helm chart.

After @dsever and @cneill comments on the previous PR.

See #11108

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the deployment and configuration of the DefectDojo application in a Kubernetes environment, with a focus on security-related aspects such as improved secret management, secure configuration settings, network segmentation, flexible configurations, and monitoring and observability.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the deployment and configuration of the DefectDojo application in a Kubernetes environment. The changes span several Kubernetes resource templates, including ConfigMaps, Deployments, Services, Secrets, and Network Policies.

The key security-related aspects of these changes include:

1. Improved Secret Management: The code ensures that sensitive information, such as database passwords, Celery broker passwords, and Redis authentication credentials, are stored securely in Kubernetes Secrets. This is a recommended security practice.

2. Secure Configuration Settings: The changes include setting security-related environment variables, such as DD_SESSION_COOKIE_SECURE and DD_CSRF_COOKIE_SECURE, to ensure that the Django application is properly configured for security.

3. Network Segmentation: The addition of Kubernetes Network Policies helps to enforce network segmentation and control the flow of traffic between different components of the DefectDojo application, improving the overall security posture.

4. Flexible Configurations: The ability to add extra labels, annotations, and environment variables to the various Kubernetes resources provides more flexibility for users to customize the deployment and align it with their security requirements.

5. Monitoring and Observability: The changes include the ability to expose Prometheus-compatible metrics, which can aid in monitoring and observability of the application, a crucial aspect of security.

Overall, the code changes in this pull request appear to be focused on improving the security, configurability, and maintainability of the DefectDojo application deployment in a Kubernetes environment. While there are no major security concerns identified, it's important to thoroughly review the entire application and infrastructure setup to ensure that there are no other potential vulnerabilities or security risks.

Files Changed:

1. helm/defectdojo/templates/configmap.yaml: Adds support for "extraLabels" and "extraConfigs" in the ConfigMap.
2. helm/defectdojo/templates/django-deployment.yaml: Adds support for extra labels, environment variables, and health checks.
3. helm/defectdojo/templates/celery-beat-deployment.yaml: Adds support for extra labels, volume mounts, and secret management.
4. helm/defectdojo/templates/celery-worker-deployment.yaml: Adds support for extra labels, environment variables, and sidecar containers.
5. helm/defectdojo/templates/django-ingress.yaml: Adds support for extra labels and HTTPS configuration.
6. helm/defectdojo/templates/extra-secret.yaml: Adds support for extra labels.
7. helm/defectdojo/templates/django-service.yaml: Adds support for extra labels and service configuration.
8. helm/defectdojo/templates/media-pvc.yaml: Adds support for extra labels.
9. helm/defectdojo/templates/sa.yaml: Adds support for extra labels and GCP service account association.
10. helm/defectdojo/templates/initializer-job.yaml: Adds support for extra configuration options.
11. helm/defectdojo/templates/network-policy.yaml: Adds support for extra labels and flexible ingress/egress configuration.
12. helm/defectdojo/templates/secret-postgresql-ha-pgpool.yaml: Adds support for extra labels and password management.
13. helm/defectdojo/templates/secret-postgresql.yaml: Adds support for extra labels.
14. helm/defectdojo/templates/secret-postgresql-ha.yaml: Adds support for extra labels and password management.
15. helm/defectdojo/templates/secret-redis.yaml: Adds support for extra labels and password management.
16. helm/defectdojo/templates/secret.yaml: Adds support for extra labels.
17. helm/defectdojo/values.yaml: Adds support for extra labels.

Code Analysis

We ran 9 analyzers against 17 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[cneill]

Thanks for tidying these other blocks up. Just a few tweaks required here

[cneill]

Looks good! Thanks for your work on this

[JGodin-C2C]

Do i need to do anything else to see this merged ?
Or should i just wait ?

[cneill]

We'll need to get some other reviewers to approve it, but I think it's good to go. Any other thoughts before we merge @dsever ?

[dsever]

@cneill fine to me

[mtesauro]

Approved

[kiblik]

As an improvement, I do not see any issue here. I tested this change locally on a small setup as well.

1. I would probably use "common helper" for the future
   • but it might be done in the next PR - now there is no reason to block this PR; it is a "nice to have"-feature
2. And I would add these labels to gke-managed-certificate.yaml as well
   • but this would need to be tested by people using this functionality. I do not have experience with it and I'm unable to test possible side effects (maybe there are not any but I can not be sure).