Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(helm): Add secret annotations #11860

Merged
merged 9 commits into from
Feb 27, 2025
Merged

feat(helm): Add secret annotations #11860

merged 9 commits into from
Feb 27, 2025

Conversation

al-cheb
Copy link
Contributor

@al-cheb al-cheb commented Feb 20, 2025

Description

Allow adding annotations to secret resources.

E.g.: A Kubernetes mutating webhook that makes direct secret injection using annotations - https://bank-vaults.dev/docs/mutating-webhook/annotations/

feat(helm): Add secret annotations
e7216d2 
Allow adding annotations to secret resources.
@github-actions github-actions bot added the helm label Feb 20, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Feb 20, 2025
edited
Loading

DryRun Security Summary

Added Kubernetes Secret annotation support across Helm charts while introducing potential security risks related to annotation injection and metadata manipulation that require careful validation of input values.

Expand for full summary

The PR adds annotation support for Kubernetes Secrets across multiple Helm chart templates, allowing flexible metadata configuration for secret resources.

Security findings:

  • Potential annotation injection vulnerability in multiple files (extra-secret.yaml, secret-postgresql-ha-pgpool.yaml, secret-postgresql-ha.yaml, secret-postgresql.yaml, secret-redis.yaml, secret.yaml)
  • Risk of exposing sensitive information through unvalidated annotations
  • Potential metadata manipulation through dynamically added annotations
  • Requires careful validation of .Values.secrets.annotations and .Values.annotations to prevent information disclosure

Code Analysis

We ran 9 analyzers against 7 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@Maffooch Maffooch requested a review from kiblik February 21, 2025 19:23
kiblik
kiblik requested changes Feb 24, 2025
View reviewed changes
Copy link
Contributor

@kiblik kiblik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some small suggestions. But in general LGTM.

al-cheb and others added 8 commits February 24, 2025 13:21
@al-cheb @kiblik
Update helm/defectdojo/Chart.yaml
3e52f5f 
Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com>
@al-cheb @kiblik
Update helm/defectdojo/values.yaml
5e4c30f 
Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com>
@al-cheb @kiblik
Update helm/defectdojo/templates/extra-secret.yaml
4deab03 
Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com>
@al-cheb @kiblik
Update helm/defectdojo/templates/secret-postgresql-ha-pgpool.yaml
95efc09 
Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com>
@al-cheb @kiblik
Update helm/defectdojo/templates/secret-postgresql.yaml
ee36f7c 
Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com>
@al-cheb @kiblik
Update helm/defectdojo/templates/secret-redis.yaml
cc584f0 
Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com>
@al-cheb @kiblik
Update helm/defectdojo/templates/secret-postgresql-ha.yaml
6b3a9cf 
Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com>
@al-cheb @kiblik
Update helm/defectdojo/templates/secret.yaml
fdf4fd5 
Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com>
@al-cheb al-cheb requested a review from kiblik February 24, 2025 10:22
mtesauro
mtesauro approved these changes Feb 24, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 0a08c0d into DefectDojo:dev Feb 27, 2025
73 checks passed
@al-cheb al-cheb deleted the add-secret-annotations branch February 27, 2025 06:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

@kiblik kiblik kiblik approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees
No one assigned
Labels
helm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@al-cheb @cneill @mtesauro @kiblik @Maffooch