Skip to content

feat(helm): Use Valkey #13408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

feat(helm): Use Valkey #13408

wants to merge 1 commit into from
+142 −142

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Oct 13, 2025
edited
Loading

TBD

kubectl exec statefulset/defectdojo-redis-master -c redis -- redis-cli -a `kubectl get secret defectdojo-redis-specific -o go-template='{{index .data "redis-password" | base64decode}}'` llen celery

@github-actions github-actions bot added the helm label Oct 13, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 23, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@Maffooch
Copy link
Contributor

Maffooch commented Oct 27, 2025

Hi @kiblik the valkey migration is slated for release in the upcoming minor release on November 3rd. The docker compose PR looks ready to roll after your feedback was incorporated. Is there anything left to be implemented in this PR for the helm chart?

@kiblik
Copy link
Contributor Author

kiblik commented Nov 3, 2025

So, my original idea was to replace Bitnami Redis with the official Valkey Helm chart. Unfortunately, this is not fully possible because authN issue.
The official Valkey Helm chart does not support the approach: "This is a password which I generated/prepared for you. Use it". Valkey needs the users.acl file with the full definition of users.
This issue is partially solved in the open PR, but still not fully support "This is a prepared password. Use it."
So we might

  • use Valkey chart from Bitnami. But charts and/or Docker images would have to be mirrored (not a good and maintainable solution)
  • use CloudPirates chart (comes from the original Bitnami definition, but they keep it nicely maintained)
  • use deployment without authN (we might depend on network isolation using NetworkPolicy)
  • ???

@kiblik
Copy link
Contributor Author

kiblik commented Nov 3, 2025

I hope migration will be easier, and I did not have enough time to come back to it until now.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 3, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the helm_valkey branch 5 times, most recently from 5bf0d34 to 854c188 Compare November 4, 2025 18:13
@github-actions
Copy link
Contributor

github-actions bot commented Nov 4, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the helm_valkey branch 12 times, most recently from bf3a0d5 to 196988a Compare November 5, 2025 10:27
@renovate @kiblik
feat(helm): Use Valkey
cc5a37f 
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
@kiblik
Copy link
Contributor Author

kiblik commented Nov 5, 2025

I still need some time to write the migration steps + description of PR + see CloudPirates-io/helm-charts#552
But I suppose the review can start.

@kiblik kiblik marked this pull request as ready for review November 5, 2025 10:39
@dryrunsecurity
Copy link

dryrunsecurity bot commented Nov 5, 2025

DryRun Security

This pull request introduces issues around secret handling: it hardcodes the same secret name across multiple Helm templates risking name collisions, generates a weak 10-character valkey (~60 bits entropy) that is below recommended strength, and permits plaintext passwords in values.yaml which can expose credentials if committed to version control.

Hardcoded Secret Name in helm/defectdojo/templates/tests/unit-tests.yaml
Vulnerability Hardcoded Secret Name
Description The secret name 'defectdojo-valkey-specific' is hardcoded as a default value in multiple deployment templates (celery-beat, celery-worker, django, and unit-tests). While it can be overridden by valkey.auth.existingSecret in values.yaml, using a fixed default name across different components and potentially different deployments within the same Kubernetes namespace creates a high risk of naming collisions. This could lead to one deployment inadvertently using the secret of another, or failing to deploy if the secret already exists with different content, causing unexpected behavior or security issues.

django-DefectDojo/helm/defectdojo/templates/tests/unit-tests.yaml

Lines 36 to 43 in cc5a37f

valueFrom:
secretKeyRef:
# Use broker chart secret
name: defectdojo-valkey-specific
key: valkey-password
- name: DD_DATABASE_PASSWORD
valueFrom:
secretKeyRef:

Weak Randomly Generated Secret in helm/defectdojo/templates/secret-valkey.yaml
Vulnerability Weak Randomly Generated Secret
Description The Helm template generates a 10-character alphanumeric password for Valkey using randAlphaNum 10. Assuming a character set of 62 (uppercase, lowercase, and digits), this results in approximately 59.54 bits of entropy. This level of entropy is generally considered insufficient for production-grade secrets, which typically require 64 bits or more, with 128 bits being a common recommendation for machine-generated credentials. A password with only ~60 bits of entropy could be vulnerable to brute-force attacks over time, especially with increasing computational power.

django-DefectDojo/helm/defectdojo/templates/secret-valkey.yaml

Lines 29 to 32 in cc5a37f

{{ .Values.valkey.auth.existingSecretPasswordKey }}: {{ randAlphaNum 10 | b64enc | quote }}
{{- end }}
{{- end }}

Insecure Credential Management in helm/defectdojo/values.yaml
Vulnerability Insecure Credential Management
Description The valkey.auth.password field in helm/defectdojo/values.yaml allows users to specify a plaintext password. This password is then directly used to create a Kubernetes Secret. Storing sensitive information like passwords in plaintext within values.yaml (which is often committed to version control) is an insecure practice, as it exposes credentials.

django-DefectDojo/helm/defectdojo/values.yaml

Lines 613 to 616 in cc5a37f

password: ""
# -- To use a different port for Redis (default: 6379)
service:
port: 6379

All finding details can be found in the DryRun Security Dashboard.

@mtesauro mtesauro requested a review from rossops November 5, 2025 21:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@rossops rossops Awaiting requested review from rossops

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

helm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kiblik @Maffooch @mtesauro