Adding annotations to different resources

[veneber]

Description

Just adding some annotations to helm templates to increase the possibilities in the definition for different resources.

[dryrunsecurity]

DryRun Security Summary

The pull request enhances the DefectDojo Kubernetes Helm chart's configurability by adding annotation support for various resources while maintaining a focus on security best practices and deployment flexibility.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the configurability and flexibility of the DefectDojo application deployed using a Kubernetes Helm chart. The key changes include the addition of support for annotations on various resources, such as the ConfigMap, Celery Beat Deployment, Celery Worker Deployment, Django Deployment, and Network Policy.

From an application security perspective, the changes do not introduce any obvious security vulnerabilities. Instead, they provide more options for users to customize the deployment and integrate it with other tools or security practices. However, it's important to review the specific use cases and configurations to ensure that the application's security posture is maintained.

Some key security-related aspects to consider include:

• Ensuring that sensitive information, such as database credentials and secret keys, are properly secured (e.g., using Kubernetes Secrets) and not stored in plain text.
• Reviewing the network policy configuration to verify that the appropriate network isolation and least privilege principles are applied.
• Validating the security-related configurations, such as secure session and CSRF cookies, security contexts, and probes.
• Ensuring that any additional volumes or volume mounts do not introduce security risks, such as accessing sensitive data or exposing unnecessary attack surfaces.

Overall, the changes appear to be focused on improving the flexibility and configurability of the DefectDojo deployment, while also considering security best practices. As an application security engineer, it's important to thoroughly review the entire Helm chart and the application's architecture to ensure that the security measures are consistently applied across all components.

Files Changed:

1. helm/defectdojo/templates/configmap.yaml:

   • Adds support for configuring annotations on the ConfigMap.
   • Maintains the existing admin user configuration.

2. helm/defectdojo/templates/celery-beat-deployment.yaml:

   • Introduces the ability to add annotations to the Celery Beat Deployment.

3. helm/defectdojo/templates/celery-worker-deployment.yaml:

   • Adds the ability to add annotations to the Celery Worker Deployment.
   • Includes security-related configurations, such as environment variables, volume mounts, and security contexts.

4. helm/defectdojo/templates/django-deployment.yaml:

   • Adds an optional section for Django deployment annotations.
   • Includes several security-related configurations, such as secure session and CSRF cookies, security contexts, and probes.

5. helm/defectdojo/templates/network-policy.yaml:

   • Adds an annotations section to the network policy.
   • Allows the network policy to be easily enabled or disabled.

6. helm/defectdojo/values.yaml:

   • Adds empty annotations fields for the network policy and Celery-related resources.

Code Analysis

We ran 9 analyzers against 6 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[mtesauro]

Approved