fix(helm): set cloudsql-proxy as sidecar container to allow initializer and dbmigration to run

[jndeverteuil]

⚠️ Note on feature completeness ⚠️

We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md

Description

This PR is to fix an issue when using cloudsql-proxy as per the following discussion: #7235

When using Cloud SQL as a managed database, the Job related to Initializer isn't completed because your Sidecar is still running. Sidecar is cloudsql-proxy.

By setting the cloudsql-proxy as a special initContainer of typesidecar (see relevant kubernetes doc), we allow the wait-for-db initContainer to reach the database.

Kubernetes implements sidecar containers as a special case of init containers; sidecar containers remain running after Pod startup.

These restartable sidecar containers are independent from other init containers and from the main application container(s) within the same pod.

If an init container is created with its restartPolicy set to Always, it will start and remain running during the entire life of the Pod.

If you define a Job that uses sidecar using Kubernetes-style init containers, the sidecar container in each Pod does not prevent the Job from completing after the main container has finished.

Without this, wait-for-db is never allowed to reach the database since cloudsql-proxy is set as a regular container which are running only after initcontainer are finished.

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on improving the security and reliability of the DefectDojo application by adding a cloudsql-proxy initContainer, using Kubernetes Secrets to store sensitive information, and implementing security context settings to run the containers with reduced privileges, as well as including liveness and readiness probes, image pull secrets, and persistent volumes for media files.

Expand for full summary

Summary:

The provided code changes are focused on improving the security and reliability of the DefectDojo application, particularly in the areas of database connection security, secrets management, and container security.

The key changes include the addition of a cloudsql-proxy initContainer to proxy the connection to the Cloud SQL database, the use of Kubernetes Secrets to store sensitive information, and the implementation of security context settings to run the containers with reduced privileges.

Additionally, the changes ensure that the database migration check is performed only when necessary, and they include liveness and readiness probes to monitor the health of the application. The code also allows for the use of image pull secrets and persistent volumes for media files, further enhancing the overall security and reliability of the deployment.

Overall, the changes appear to be a positive step from an application security perspective, as they address common security concerns and follow best practices for deploying applications in a Kubernetes environment.

Files Changed:

1. helm/defectdojo/templates/celery-worker-deployment.yaml:

   • Added a conditional check for the cloudsql.enabled value to include the cloudsql-proxy initContainer.
   • Set the restartPolicy: Always option for the cloudsql-proxy initContainer to ensure it is restarted if it fails.
   • Rearranged the order of the initContainers and containers sections.

2. helm/defectdojo/templates/celery-beat-deployment.yaml:

   • Included the dbMigrationChecker initContainer only when dbMigrationChecker.enabled or cloudsql.enabled is true.
   • Added the cloudsql-proxy initContainer when cloudsql.enabled is true.

3. helm/defectdojo/templates/django-deployment.yaml:

   • Included the dbMigrationChecker initContainer only when dbMigrationChecker.enabled or cloudsql.enabled is true.
   • Added the cloudsql-proxy initContainer when cloudsql.enabled is true.
   • Properly used Kubernetes Secrets to store sensitive information.
   • Set the DD_SESSION_COOKIE_SECURE and DD_CSRF_COOKIE_SECURE environment variables based on the TLS configuration.
   • Included liveness and readiness probes for the uWSGI and Nginx containers.
   • Set security context for the Django and Nginx containers.
   • Included the option to use a persistent volume for storing media files.

4. helm/defectdojo/templates/initializer-job.yaml:

   • Added the cloudsql-proxy container when cloudsql.enabled is true.
   • Moved the wait-for-db container to be an initContainer.
   • Added the initializer container to perform any necessary initialization tasks.
   • Used the securityContext configuration to set the security context for the cloudsql-proxy and initializer containers.
   • Allowed the initializer container to access external data or configurations through the initializer.extraVolumes configuration.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[kiblik]

I suppose this should help.

[tidusete]

I agree on all what @kiblik suggest

[tidusete]

lgtm

[tidusete]

Is there any issue on it? I'm waiting for this fix to end up on a release 🙏

[mtesauro]

Approved

[tidusete]

Is there any problem with the MR? It looks like it's still Open

[mtesauro]

@tidusete

Is there any problem with the MR? It looks like it's still Open

PRs require 4 approvals from DefectDojo maintainers and this one is 2 short currently.