feat: add the extra labels capabilities for chart

[JGodin-C2C]

Description

Add extra labels for the deployment

Test results

This is not directly related to the defectdojo development but a deployment-wise improvement

Documentation

N/A

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the security and configurability of the DefectDojo Helm chart, including secure handling of sensitive information, enabling TLS termination, configuring security context, implementing network policies, and adding support for extra labels and volumes.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the security and configurability of the DefectDojo Helm chart. The changes span multiple files, including those related to the Celery worker, Django deployment, ConfigMap, Celery Beat, Django service, Ingress, and various Secrets.

Key security-related changes include:

1. Secure handling of sensitive information, such as storing database passwords and other credentials in Kubernetes Secrets.
2. Enabling TLS termination at the Ingress level to ensure secure communication between clients and the application.
3. Configuring security context for containers to run as non-root users.
4. Implementing network policies to control ingress and egress traffic to the application.
5. Adding support for extra labels and volumes to provide more flexibility in managing and configuring the application resources.

Overall, the changes appear to be focused on improving the security posture of the DefectDojo application while also enhancing the configurability and maintainability of the Helm chart. As an application security engineer, I would recommend thoroughly reviewing the changes and ensuring that the Helm chart is properly configured and deployed in a secure manner.

Files Changed:

1. helm/defectdojo/templates/celery-worker-deployment.yaml: Adds support for extra labels and volumes, and securely handles sensitive environment variables.
2. helm/defectdojo/templates/django-deployment.yaml: Includes Prometheus monitoring, secure volume mounts, and environment variable management.
3. helm/defectdojo/templates/configmap.yaml: Handles sensitive configuration, such as admin credentials and database connection details.
4. helm/defectdojo/templates/celery-beat-deployment.yaml: Adds support for extra labels and securely manages environment variables.
5. helm/defectdojo/templates/django-service.yaml: Configures the Kubernetes service, including TLS termination and Prometheus metrics exposure.
6. helm/defectdojo/templates/extra-secret.yaml: Adds support for extra labels to the Kubernetes Secret resource.
7. helm/defectdojo/templates/initializer-job.yaml: Securely handles environment variables and sets appropriate security context.
8. helm/defectdojo/templates/django-ingress.yaml: Configures the Ingress resource, including TLS termination and path customization.
9. helm/defectdojo/templates/media-pvc.yaml: Adds support for extra labels to the Persistent Volume Claim.
10. helm/defectdojo/templates/sa.yaml: Adds support for extra labels to the Kubernetes ServiceAccount.
11. helm/defectdojo/templates/network-policy.yaml: Implements network policies to control ingress and egress traffic.
12. helm/defectdojo/templates/secret-postgresql-ha-pgpool.yaml: Securely manages the PostgreSQL HA Pgpool component's admin password.
13. helm/defectdojo/templates/secret-redis.yaml: Securely stores the Redis authentication password.
14. helm/defectdojo/templates/secret-postgresql.yaml: Adds support for extra labels to the PostgreSQL Secret resource.
15. helm/defectdojo/values.yaml: Enables the network policy feature and adds support for extra labels.
16. helm/defectdojo/templates/secret-postgresql-ha.yaml: Securely manages the PostgreSQL HA setup's passwords and credentials.
17. helm/defectdojo/templates/secret.yaml: Adds support for extra labels to the Kubernetes Secret resource.

Code Analysis

We ran 9 analyzers against 17 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[kiblik]

It might be a good idea to add it to .spec.template.metadata.labels in *-deployment.yaml and *-job.yaml as well.

[JGodin-C2C]

It might be a good idea to add it to .spec.template.metadata.labels in *-deployment.yaml and *-job.yaml as well.

Done !
Thanks for the recommentation.

[cneill]

One last tweak, then this should be good to go 🙂

[dsever]

Guys, I don't think this is the proper way how to extend it, I would rather propose the same way how helm create handles the annotations:

{{- with .Values.ingress.annotations }}
    {{- toYaml . | nindent 4 }}
  {{- end }}

Even all generic label to put into the helper

[cneill]

Guys, I don't think this is the proper way how to extend it, I would rather propose the same way how helm create handles the annotations:

{{- with .Values.ingress.annotations }}
    {{- toYaml . | nindent 4 }}
  {{- end }}

Even all generic label to put into the helper

I'm fine with that approach, but I'm not sure I understand the benefit, though it's certainly a bit cleaner. Is the idea basically to avoid copy/paste mistakes when referencing .Values.extraLabels on 2 separate lines?

[dsever]

I'm fine with that approach, but I'm not sure I understand the benefit, though it's certainly a bit cleaner. Is the idea basically to avoid copy/paste mistakes when referencing .Values.extraLabels on 2 separate lines?

At the moment Helm is anyhow complicated, so I would use any chance to optimize it.

[JGodin-C2C]

Hey @dsever i am doing just what you are saying here.

#11168

[cneill]

Closing this one as it is superseded by #11168