DefectDojo
diff --git a/‎.github/workflows/k8s-tests.yml‎
Lines changed: 10 additions & 10 deletions b/‎.github/workflows/k8s-tests.yml‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎docs/content/en/open_source/upgrading/2.51.md‎
Lines changed: 44 additions & 2 deletions b/‎docs/content/en/open_source/upgrading/2.51.md‎
Lines changed: 44 additions & 2 deletions
diff --git a/‎helm/defectdojo/Chart.yaml‎
Lines changed: 1 addition & 1 deletion b/‎helm/defectdojo/Chart.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎helm/defectdojo/templates/_helpers.tpl‎
Lines changed: 5 additions & 4 deletions b/‎helm/defectdojo/templates/_helpers.tpl‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎helm/defectdojo/templates/celery-beat-deployment.yaml‎
Lines changed: 33 additions & 31 deletions b/‎helm/defectdojo/templates/celery-beat-deployment.yaml‎
Lines changed: 33 additions & 31 deletions
diff --git a/‎helm/defectdojo/templates/celery-worker-deployment.yaml‎
Lines changed: 31 additions & 29 deletions b/‎helm/defectdojo/templates/celery-worker-deployment.yaml‎
Lines changed: 31 additions & 29 deletions
@@ -108,17 +108,17 @@ jobs:
                  echo "INFO: status:"
                  kubectl get pods
                  echo "INFO: logs:"
-                 kubectl logs  --selector=$3 --all-containers=true
+                 kubectl logs --selector=$3 --all-containers=true
                  exit 1
                fi
                return ${?}
              }
              echo "Waiting for init job..."
-             to_complete  "condition=Complete" job "defectdojo.org/component=initializer"
+             to_complete "condition=Complete" job "defectdojo.org/component=initializer"
              echo "Waiting for celery pods..."
-             to_complete  "condition=ready" pod "defectdojo.org/component=celery"
+             to_complete "condition=ready" pod "defectdojo.org/component=celery"
              echo "Waiting for django pod..."
-             to_complete  "condition=ready" pod "defectdojo.org/component=django"
+             to_complete "condition=ready" pod "defectdojo.org/component=django"
              echo "Pods up and ready to rumbole"
              kubectl get pods
              RETRY=0
@@ -132,15 +132,15 @@ jobs:
                     --max-time 20 \
                     --head \
                     --header "Host: $DD_HOSTNAME" \
-                    http://$DJANGO_IP/login?next=/)
+                    "http://${DJANGO_IP}/login?next=/")
                echo $OUT
-               CR=`echo $OUT | egrep "^HTTP" | cut -d' ' -f2`
+               CR=$(echo $OUT | egrep "^HTTP" | cut -d' ' -f2)
                echo $CR
                if [[ $CR -ne 200 ]]; then
                   echo $RETRY
                   if [[ $RETRY -gt 2 ]]; then
                     kubectl get pods
-                    echo `kubectl logs --tail=30 -l defectdojo.org/component=django -c uwsgi`
+                    echo $(kubectl logs --tail=30 -l defectdojo.org/component=django -c uwsgi)
                     echo "ERROR: cannot display login screen; got HTTP code $CR"
                     exit 1
                   else
@@ -165,7 +165,7 @@ jobs:
                  --data-raw "username=admin&password=$ADMIN_PASS" \
                  --output /dev/null \
                  --write-out "%{http_code}\n" \
-                 http://$DJANGO_IP/api/v2/api-token-auth/)
+                 "http://${DJANGO_IP}/api/v2/api-token-auth/")
              echo $CR
              if [[ $CR -ne 200 ]]; then
               echo "ERROR: login is not possible; got HTTP code $CR"
@@ -174,8 +174,8 @@ jobs:
               echo "Result received"
              fi
              echo "Final Check of components"
-             errors=`kubectl get pods | grep Error | awk '{print  $1}'`
-             if [[ ! -z  $errors ]]; then
+             errors=$(kubectl get pods | grep Error | awk '{print $1}')
+             if [[ ! -z $errors ]]; then
                echo "Few pods with errors"
                for line in $errors; do
                  echo "Dumping log from $line"
 
@@ -2,6 +2,48 @@
 title: 'Upgrading to DefectDojo Version 2.51.x'
 toc_hide: true
 weight: -20250902
-description: No special instructions.
+description: Helm chart changes.
 ---
-There are no special instructions for upgrading to 2.51.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.51.0) for the contents of the release.
+
+## Helm Chart Changes
+
+This release introduces several important changes to the Helm chart configuration:
+
+### Breaking changes
+
+#### Volume Management Improvements
+
+- **Streamlined volume configuration**: The existing volume logic has been removed and replaced with more flexible `extraVolumes` and `extraVolumeMounts` options that provide deployment-agnostic volume management.
+
+> The previous volume implementation prevented mounting projected volumes (such as secret mounts with renamed key names) and per-container volume mounts (like nginx emptyDir when readOnlyRootFs is enforced).
+> The new approach resolves these limitations.
+
+#### Moved values
+
+The following Helm chart values have been modified in this release:
+
+- `redis.transportEncryption.enabled` → `redis.tls.enabled` (aligned with upstream Helm chart)
+- `redis.scheme` → `redis.sentinel.enabled` (controls deployment mode and aligns with upstream chart)
+- `redis.redisServer` → `redisServer` (prevents potential schema conflicts with upstream chart)
+- `redis.transportEncryption.params` → `redisParams` (prevents potential schema conflicts with upstream chart)
+- `postgresql.postgresServer` → `postgresServer` (prevents potential schema conflicts with upstream chart)
+
+### New features
+
+#### Container and Environment Enhancements
+
+- **Added extraInitContainers support**: Both Celery and Django deployments now support additional init containers through the `extraInitContainers` configuration option.
+- **Enhanced probe configuration for Celery**: Added support for customizing liveness, readiness, and startup probes in both Celery beat and worker deployments.
+- **Enhanced environment variable management**: All deployments now include `extraEnv` support for adding custom environment variables. For backwards compatibility, `.Values.extraEnv` can be used to inject common environment variables to all workloads.
+
+### Other changes
+
+- **Celery pod annotations**: Now we can add annotations to Celery beat/worker pods separately.
+- **Flexible secret deployment**: Added the capability to deploy secrets as regular (non-hooked) resources to address compatibility issues encountered with CI/CD tools (such as ArgoCD).
+- **Optional secret references**: Some secret references are now optional, allowing the chart to function even when certain secrets are not created.
+- **Fixed secret mounting**: Resolved issues with optional secret mounts and references.
+- **Improved code organization**: Minor Helm chart refactoring to enhance readability and maintainability.
+
+---
+
+There are other instructions for upgrading to 2.51.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.51.0) for the contents of the release.
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.51.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.206-dev
+version: 1.7.0-dev
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap
 
@@ -53,15 +53,16 @@ Create the name of the service account to use
 {{-   printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
 {{-  end -}}
 {{- else -}}
-{{-  printf "%s" ( .Values.postgresql.postgresServer | default "127.0.0.1" ) -}}
+{{- .Values.postgresServer | default "127.0.0.1" | quote -}}
 {{- end -}}
 {{- end -}}
+
 {{- define "redis.hostname" -}}
 {{- if eq .Values.celery.broker "redis" -}}
 {{- if .Values.redis.enabled -}}
 {{- printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
-{{- printf "%s" (.Values.celery.brokerHost | default .Values.redis.redisServer) -}}
+{{- .Values.redisServer | default "127.0.0.1" | quote -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
@@ -71,9 +72,9 @@ Create the name of the service account to use
 */}}
 {{- define "redis.scheme" -}}
 {{- if eq .Values.celery.broker "redis" -}}
-{{- if .Values.redis.transportEncryption.enabled -}}
+{{- if .Values.redis.tls.enabled -}}
 {{- printf "rediss" -}}
-{{- else if eq .Values.redis.scheme "sentinel" -}}
+{{- else if .Values.redis.sentinel.enabled -}}
 {{- printf "sentinel" -}}
 {{- else -}}
 {{- printf "redis" -}}
 
@@ -11,18 +11,16 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     helm.sh/chart: {{ include "defectdojo.chart" . }}
     {{- with .Values.extraLabels }}
-        {{- toYaml . | nindent 4 }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
-{{- if .Values.celery.annotations }}
+  {{- with mergeOverwrite .Values.celery.annotations .Values.celery.beat.annotations }}
   annotations:
-{{- with .Values.celery.annotations }}
-  {{- toYaml . | nindent 4 }}
-{{- end }}
-{{- end }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   replicas: {{ .Values.celery.beat.replicas }}
-  {{- if .Values.revisionHistoryLimit }}
-  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- with .Values.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ . }}
   {{- end }}
   selector:
     matchLabels:
@@ -44,7 +42,7 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-      {{- with .Values.celery.beat.annotations }}
+      {{- with mergeOverwrite .Values.celery.annotations .Values.celery.beat.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- if eq (.Values.trackConfig | default "disabled") "enabled" }}
@@ -54,9 +52,9 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ include "defectdojo.serviceAccountName" . }}
-      {{- if .Values.imagePullSecrets }}
+      {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
-      - name: {{ .Values.imagePullSecrets }}
+      - name: {{ . }}
       {{- end }}
       volumes:
       - name: run
@@ -71,22 +69,16 @@ spec:
         configMap:
           name: {{ .Values.django.uwsgi.certificates.configName }}
       {{- end }}
-      {{- range .Values.celery.extraVolumes }}
-      - name: userconfig-{{ .name }}
-        {{ .type }}:
-          {{- if (eq .type "configMap") }}
-          name: {{ .name }}
-          {{- else if (eq .type "secret") }}
-          secretName: {{ .name }}
-          {{- else if (eq .type "hostPath") }}
-          type: {{ .pathType | default "Directory" }}
-          path: {{ .hostPath }}
-          {{- end }}
+      {{- with .Values.celery.beat.extraVolumes }}
+        {{- . | toYaml | nindent 6 }}
       {{- end }}
-      {{- if or .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled }}
+      {{- if coalesce .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled .Values.celery.beat.extraInitContainers }}
       initContainers:
+      {{- range .Values.celery.beat.extraInitContainers }}
+      - {{- . | toYaml | nindent 8 }}
+      {{- end }}
       {{- end }}
-      {{- if .Values.cloudsql.enabled  }}
+      {{- if .Values.cloudsql.enabled }}
       - name: cloudsql-proxy
         image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
         imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
@@ -115,6 +107,15 @@ spec:
         name: celery
         image: "{{ template "celery.repository" . }}:{{ .Values.tag }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        {{- with .Values.celery.beat.livenessProbe }}
+        livenessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.beat.readinessProbe }}
+        readinessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.beat.startupProbe }}
+        startupProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
         {{- if .Values.securityContext.enabled }}
         securityContext:
           {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }}
@@ -128,15 +129,12 @@ spec:
           mountPath: /app/dojo/settings/local_settings.py
           subPath: file
         {{- end }}
-        {{- if  .Values.django.uwsgi.certificates.enabled }}
+        {{- if .Values.django.uwsgi.certificates.enabled }}
         - name: cert-mount
           mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }}
         {{- end }}
-        {{- range .Values.celery.extraVolumes }}
-        - name: userconfig-{{ .name }}
-          readOnly: true
-          mountPath: {{ .path }}
-          subPath: {{ .subPath }}
+        {{- with .Values.celery.beat.extraVolumeMounts }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         envFrom:
         - configMapRef:
@@ -162,8 +160,12 @@ spec:
             secretKeyRef:
               name: {{ $fullName }}
               key: DD_SECRET_KEY
+              optional: true
         {{- with .Values.extraEnv }}
-          {{- toYaml . | nindent 8 }}
+          {{- . | toYaml | nindent 8 }}
+        {{- end }}
+        {{- with .Values.celery.beat.extraEnv }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         resources:
           {{- toYaml .Values.celery.beat.resources | nindent 10 }}
 
@@ -13,16 +13,14 @@ metadata:
     {{- with .Values.extraLabels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
-{{- if .Values.celery.annotations }}
+  {{- with mergeOverwrite .Values.celery.annotations .Values.celery.worker.annotations }}
   annotations:
-{{- with .Values.celery.annotations }}
-  {{- toYaml . | nindent 4 }}
-{{- end }}
-{{- end }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   replicas: {{ .Values.celery.worker.replicas }}
-  {{- if .Values.revisionHistoryLimit }}
-  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- with .Values.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ . }}
   {{- end }}
   selector:
     matchLabels:
@@ -44,7 +42,7 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-      {{- with .Values.celery.worker.annotations }}
+      {{- with mergeOverwrite .Values.celery.annotations .Values.celery.worker.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- if eq (.Values.trackConfig | default "disabled") "enabled" }}
@@ -54,9 +52,9 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ include "defectdojo.serviceAccountName" . }}
-      {{- if .Values.imagePullSecrets }}
+      {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
-      - name: {{ .Values.imagePullSecrets }}
+      - name: {{ . }}
       {{- end }}
       volumes:
       {{- if  .Values.localsettingspy }}
@@ -69,20 +67,14 @@ spec:
         configMap:
           name: {{ .Values.django.uwsgi.certificates.configName }}
       {{- end }}
-      {{- range .Values.celery.extraVolumes }}
-      - name: userconfig-{{ .name }}
-        {{ .type }}:
-          {{- if (eq .type "configMap") }}
-          name: {{ .name }}
-          {{- else if (eq .type "secret") }}
-          secretName: {{ .name }}
-          {{- else if (eq .type "hostPath") }}
-          type: {{ .pathType | default "Directory" }}
-          path: {{ .hostPath }}
-          {{- end }}
+      {{- with .Values.celery.worker.extraVolumes }}
+        {{- . | toYaml | nindent 6 }}
       {{- end }}
-      {{- if or .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled }}
+      {{- if coalesce .Values.dbMigrationChecker.enabled .Values.cloudsql.enabled .Values.celery.worker.extraInitContainers }}
       initContainers:
+      {{- range .Values.celery.worker.extraInitContainers }}
+      - {{- . | toYaml | nindent 8 }}
+      {{- end }}
       {{- end }}
       {{- if .Values.cloudsql.enabled  }}
       - name: cloudsql-proxy
@@ -111,13 +103,22 @@ spec:
       - name: celery
         image: "{{ template "celery.repository" . }}:{{ .Values.tag }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        {{- with .Values.celery.worker.livenessProbe }}
+        livenessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.worker.readinessProbe }}
+        readinessProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.celery.worker.startupProbe }}
+        startupProbe: {{ toYaml . | nindent 10 }}
+        {{- end }}
         {{- if .Values.securityContext.enabled }}
         securityContext:
           {{- toYaml .Values.securityContext.djangoSecurityContext | nindent 10 }}
         {{- end }}
         command: ['/entrypoint-celery-worker.sh']
         volumeMounts:
-        {{- if  .Values.localsettingspy }}
+        {{- if .Values.localsettingspy }}
         - name: localsettingspy
           readOnly: true
           mountPath: /app/dojo/settings/local_settings.py
@@ -127,11 +128,8 @@ spec:
         - name: cert-mount
           mountPath: {{ .Values.django.uwsgi.certificates.certMountPath }}
         {{- end }}
-        {{- range .Values.celery.extraVolumes }}
-        - name: userconfig-{{ .name }}
-          readOnly: true
-          mountPath: {{ .path }}
-          subPath: {{ .subPath }}
+        {{- with .Values.celery.worker.extraVolumeMounts }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         envFrom:
         - configMapRef:
@@ -157,8 +155,12 @@ spec:
             secretKeyRef:
               name: {{ $fullName }}
               key: DD_SECRET_KEY
+              optional: true
         {{- with .Values.extraEnv }}
-          {{- toYaml . | nindent 8 }}
+          {{- . | toYaml | nindent 8 }}
+        {{- end }}
+        {{- with .Values.celery.worker.extraEnv }}
+          {{- . | toYaml | nindent 8 }}
         {{- end }}
         resources:
           {{- toYaml .Values.celery.worker.resources | nindent 10 }}