feat(helm): Use Valkey

.github/workflows/k8s-tests.yml

@@ -73,8 +73,8 @@ jobs:
                --set images.nginx.image.tag=latest \
                --set imagePullPolicy=Never \
                --set initializer.keepSeconds="-1" \
-               --set redis.enabled=true \
-               --set createRedisSecret=true \
+               --set valkey.enabled=true \
+               --set createValkeySecret=true \
                --set postgresql.enabled=true \
                --set createPostgresqlSecret=true \
                --set createSecret=true

helm/defectdojo/Chart.lock

@@ -2,8 +2,8 @@ dependencies:
 - name: postgresql
   repository: oci://us-docker.pkg.dev/os-public-container-registry/defectdojo
   version: 16.7.27
-- name: redis
-  repository: oci://us-docker.pkg.dev/os-public-container-registry/defectdojo
-  version: 19.6.4
-digest: sha256:b22ad615baaa104a188c735f74ddddaec83b698315bb82f722679f762be64b50
-generated: "2025-08-27T11:22:22.13669-05:00"
+- name: valkey
+  repository: oci://registry-1.docker.io/cloudpirates
+  version: 0.9.2
+digest: sha256:9e9234390f5cb295e3bbf0dbe2a0a6475a13ce8cf4b5c5458bc733205afefe95
+generated: "2025-11-04T19:07:03.952089+01:00"

helm/defectdojo/Chart.yaml

@@ -13,10 +13,10 @@ dependencies:
     version: ~16.7.0
     repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo"
     condition: postgresql.enabled
-  - name: redis
-    version: ~19.6.4
-    repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo"
-    condition: redis.enabled
+  - name: valkey
+    version: ~0.9.2
+    repository: "oci://registry-1.docker.io/cloudpirates"
+    condition: valkey.enabled
 # For correct syntax, check https://artifacthub.io/docs/topics/annotations/helm/
 # This is example for "artifacthub.io/changes"
 # artifacthub.io/changes: |
@@ -34,4 +34,6 @@ dependencies:
 #     description: Critical bug
 annotations:
   artifacthub.io/prerelease: "true"
-  artifacthub.io/changes: ""
+  artifacthub.io/changes: |
+    - kind: changed
+      description: Replace Redis with Valkey

helm/defectdojo/README.md

@@ -94,7 +94,7 @@ helm install \
   --set django.ingress.enabled=${DJANGO_INGRESS_ENABLED} \
   --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 ```
 
@@ -280,10 +280,10 @@ helm install \
   --set host="defectdojo.${TLS_CERT_DOMAIN}" \
   --set django.ingress.secretName="minikube-tls" \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
-# For high availability deploy multiple instances of Django, Celery and Redis
+# For high availability deploy multiple instances of Django, Celery and Valkey
 helm install \
   defectdojo \
   ./helm/defectdojo \
@@ -292,9 +292,10 @@ helm install \
   --set django.ingress.secretName="minikube-tls" \
   --set django.replicas=3 \
   --set celery.worker.replicas=3 \
-  --set redis.replicas=3 \
+  --set valkey.architecture=replication \
+  --set valkey.replicaCount=3 \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
 # Run highly available PostgreSQL cluster
@@ -306,13 +307,14 @@ helm install \
   --set host="defectdojo.${TLS_CERT_DOMAIN}" \
   --set django.replicas=3 \
   --set celery.worker.replicas=3 \
-  --set redis.replicas=3 \
+  --set valkey.architecture=replication \
+  --set valkey.replicaCount=3 \
   --set django.ingress.secretName="minikube-tls" \
   --set postgresql.enabled=true \
   --set postgresql.replication.enabled=true \
   --set postgresql.replication.slaveReplicas=3 \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
 # Note: If you run `helm install defectdojo before, you will get an error
@@ -359,16 +361,13 @@ You will still need to set a host value as well.
 
 If you want to use a redis-sentinel setup as the Celery broker, you will need to set the following.
 
-1. Set redis.scheme to "sentinel" in values.yaml
+1. Set valkey.scheme to "sentinel" in values.yaml
 2. Set two additional extraEnv vars specifying the sentinel master name and port in values.yaml
 
 ```yaml
-celery:
-  broker: 'redis'
-
-redis:
-  redisServer: 'PutYourRedisSentinelAddress'
+valkey:
   scheme: 'sentinel'
+redisServer: 'PutYourRedisSentinelAddress'
 
 extraEnv:
   - name: DD_CELERY_BROKER_TRANSPORT_OPTIONS
@@ -451,10 +450,10 @@ extraEnv:
 
 #### Step 4: Deploy DefectDojo
 
-After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Redis:
+After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Valkey:
 
 ```bash
-helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createRedisSecret=true
+helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createValkeySecret=true
 ```
 
 **NOTE**: It is important to highlight that this setup can also be utilized for achieving high availability (HA) in PostgreSQL. By placing a load balancer in front of the PostgreSQL cluster, read and write requests can be efficiently routed to the appropriate primary or standby servers as needed.
@@ -509,8 +508,8 @@ A Helm chart for Kubernetes to install DefectDojo
 
 | Repository | Name | Version |
 |------------|------|---------|
+| oci://registry-1.docker.io/cloudpirates | valkey | ~0.9.2 |
 | oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | postgresql | ~16.7.0 |
-| oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | redis | ~19.6.4 |
 
 ## Values
 
@@ -547,7 +546,6 @@ A Helm chart for Kubernetes to install DefectDojo
 | celery.beat.resources.requests.memory | string | `"128Mi"` |  |
 | celery.beat.startupProbe | object | `{}` | Enable startup probe for Celery beat container. |
 | celery.beat.tolerations | list | `[]` |  |
-| celery.broker | string | `"redis"` |  |
 | celery.logLevel | string | `"INFO"` |  |
 | celery.worker.affinity | object | `{}` |  |
 | celery.worker.annotations | object | `{}` | Annotations for the Celery worker deployment. |
@@ -583,8 +581,9 @@ A Helm chart for Kubernetes to install DefectDojo
 | cloudsql.use_private_ip | bool | `false` | whether to use a private IP to connect to the database |
 | cloudsql.verbose | bool | `true` | By default, the proxy has verbose logging. Set this to false to make it less verbose |
 | createPostgresqlSecret | bool | `false` | create postgresql secret in defectdojo chart, outside of postgresql chart |
-| createRedisSecret | bool | `false` | create redis secret in defectdojo chart, outside of redis chart |
+| createRedisSecret | bool | `false` | this value is deprecated and will be removed in the future |
 | createSecret | bool | `false` | create defectdojo specific secret |
+| createValkeySecret | bool | `false` | create valkey secret in defectdojo chart, outside of valkey chart |
 | dbMigrationChecker.containerSecurityContext | object | `{}` | Container security context for the DB migration checker. |
 | dbMigrationChecker.enabled | bool | `true` | Enable/disable the DB migration checker. |
 | dbMigrationChecker.extraEnv | list | `[]` | Additional environment variables for DB migration checker. |
@@ -727,9 +726,6 @@ A Helm chart for Kubernetes to install DefectDojo
 | postgresql.primary.podSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC |
 | postgresql.primary.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
 | postgresql.volumePermissions.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above |
-| redis | object | `{"architecture":"standalone","auth":{"existingSecret":"defectdojo-redis-specific","existingSecretPasswordKey":"redis-password","password":""},"enabled":true,"sentinel":{"enabled":false},"tls":{"enabled":false}}` | For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/redis |
-| redis.enabled | bool | `true` | To use an external instance, switch enabled to `false`` and set the address in `redisServer` below |
-| redis.tls.enabled | bool | `false` | If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates from an existing secret. |
 | redisParams | string | `""` | Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redis.tls.enabled` |
 | redisServer | string | `nil` | To use an external Redis instance, set `redis.enabled` to false and set the address here: |
 | revisionHistoryLimit | int | `10` | Allow overriding of revisionHistoryLimit across all deployments. |
@@ -747,6 +743,10 @@ A Helm chart for Kubernetes to install DefectDojo
 | tests.unitTests.resources.requests.cpu | string | `"100m"` |  |
 | tests.unitTests.resources.requests.memory | string | `"128Mi"` |  |
 | trackConfig | string | `"disabled"` | Track configuration (trackConfig): will automatically respin application pods in case of config changes detection can be: 1. disabled (default) 2. enabled, enables tracking configuration changes based on SHA256 |
+| valkey | object | `{"auth":{"existingSecret":"defectdojo-valkey-specific","existingSecretPasswordKey":"valkey-password","password":""},"enabled":true,"sentinel":{"enabled":false},"service":{"port":6379},"tls":{"enabled":false}}` | For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey |
+| valkey.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `redisServer` below |
+| valkey.service | object | `{"port":6379}` | To use a different port for Redis (default: 6379) |
+| valkey.tls.enabled | bool | `false` | If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates from an existing secret. |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

helm/defectdojo/README.md.gotmpl

@@ -94,7 +94,7 @@ helm install \
   --set django.ingress.enabled=${DJANGO_INGRESS_ENABLED} \
   --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 ```
 
@@ -280,10 +280,10 @@ helm install \
   --set host="defectdojo.${TLS_CERT_DOMAIN}" \
   --set django.ingress.secretName="minikube-tls" \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
-# For high availability deploy multiple instances of Django, Celery and Redis
+# For high availability deploy multiple instances of Django, Celery and Valkey
 helm install \
   defectdojo \
   ./helm/defectdojo \
@@ -292,9 +292,10 @@ helm install \
   --set django.ingress.secretName="minikube-tls" \
   --set django.replicas=3 \
   --set celery.worker.replicas=3 \
-  --set redis.replicas=3 \
+  --set valkey.architecture=replication \
+  --set valkey.replicaCount=3 \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
 # Run highly available PostgreSQL cluster
@@ -306,13 +307,14 @@ helm install \
   --set host="defectdojo.${TLS_CERT_DOMAIN}" \
   --set django.replicas=3 \
   --set celery.worker.replicas=3 \
-  --set redis.replicas=3 \
+  --set valkey.architecture=replication \
+  --set valkey.replicaCount=3 \
   --set django.ingress.secretName="minikube-tls" \
   --set postgresql.enabled=true \
   --set postgresql.replication.enabled=true \
   --set postgresql.replication.slaveReplicas=3 \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
 # Note: If you run `helm install defectdojo before, you will get an error
@@ -359,16 +361,13 @@ You will still need to set a host value as well.
 
 If you want to use a redis-sentinel setup as the Celery broker, you will need to set the following.
 
-1. Set redis.scheme to "sentinel" in values.yaml
+1. Set valkey.scheme to "sentinel" in values.yaml
 2. Set two additional extraEnv vars specifying the sentinel master name and port in values.yaml
 
 ```yaml
-celery:
-  broker: 'redis'
-
-redis:
-  redisServer: 'PutYourRedisSentinelAddress'
+valkey:
   scheme: 'sentinel'
+redisServer: 'PutYourRedisSentinelAddress'
 
 extraEnv:
   - name: DD_CELERY_BROKER_TRANSPORT_OPTIONS
@@ -451,10 +450,10 @@ extraEnv:
 
 #### Step 4: Deploy DefectDojo
 
-After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Redis:
+After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Valkey:
 
 ```bash
-helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createRedisSecret=true
+helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createValkeySecret=true
 ```
 
 

helm/defectdojo/templates/_helpers.tpl

@@ -58,29 +58,25 @@
 {{- end -}}
 
 {{- define "redis.hostname" -}}
-{{- if eq .Values.celery.broker "redis" -}}
-{{- if .Values.redis.enabled -}}
-{{- printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" -}}
+{{- if .Values.valkey.enabled -}}
+{{- printf "%s-%s" .Release.Name "valkey" | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- .Values.redisServer | default "127.0.0.1" | quote -}}
 {{- end -}}
 {{- end -}}
-{{- end -}}
 
 {{- /*
   Determine the protocol to use for Redis.
 */}}
 {{- define "redis.scheme" -}}
-{{- if eq .Values.celery.broker "redis" -}}
-{{- if .Values.redis.tls.enabled -}}
+{{- if .Values.valkey.tls.enabled -}}
 {{- printf "rediss" -}}
-{{- else if .Values.redis.sentinel.enabled -}}
+{{- else if .Values.valkey.sentinel.enabled -}}
 {{- printf "sentinel" -}}
 {{- else -}}
 {{- printf "redis" -}}
 {{- end -}}
 {{- end -}}
-{{- end -}}
 
 {{- /*
   Builds the repository names for use with local or private registries

helm/defectdojo/templates/celery-beat-deployment.yaml

@@ -144,10 +144,8 @@ spec:
         - name: DD_CELERY_BROKER_PASSWORD
           valueFrom:
             secretKeyRef:
-            {{- if eq .Values.celery.broker "redis" }}
-              name: {{ .Values.redis.auth.existingSecret | default "defectdojo-redis-specific" }}
-              key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
-            {{- end }}
+              name: {{ .Values.valkey.auth.existingSecret | default "defectdojo-valkey-specific" }}
+              key: {{ .Values.valkey.auth.existingSecretPasswordKey | default "valkey-password" }}
         - name: DD_DATABASE_PASSWORD
           valueFrom:
             secretKeyRef:

helm/defectdojo/templates/celery-worker-deployment.yaml

@@ -139,10 +139,8 @@ spec:
         - name: DD_CELERY_BROKER_PASSWORD
           valueFrom:
             secretKeyRef:
-            {{- if eq .Values.celery.broker "redis" }}
-              name: {{ .Values.redis.auth.existingSecret| default "defectdojo-redis-specific" }}
-              key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
-            {{- end }}
+              name: {{ .Values.valkey.auth.existingSecret| default "defectdojo-valkey-specific" }}
+              key: {{ .Values.valkey.auth.existingSecretPasswordKey | default "valkey-password" }}
         - name: DD_DATABASE_PASSWORD
           valueFrom:
             secretKeyRef:

helm/defectdojo/templates/configmap.yaml

@@ -1,5 +1,5 @@
 {{- $fullName := include "defectdojo.fullname" . -}}
-{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" .Values.redis.tls.enabled -}}
+{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" .Values.valkey.tls.enabled -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -26,10 +26,10 @@ data:
   DD_ADMIN_LAST_NAME: {{ .Values.admin.LastName | default "User" }}
   DD_ALLOWED_HOSTS: {{ include "django.allowed_hosts" . }}
   DD_SITE_URL: {{ .Values.siteUrl | default "http://localhost:8080" }}
-  DD_CELERY_BROKER_SCHEME: {{ if eq .Values.celery.broker "redis" }}{{ template "redis.scheme" . }}{{ end }}
+  DD_CELERY_BROKER_SCHEME: {{ template "redis.scheme" . }}
   DD_CELERY_BROKER_USER: ''
-  DD_CELERY_BROKER_HOST: {{ if eq .Values.celery.broker "redis" }}{{ template "redis.hostname" . }}{{ end }}
-  DD_CELERY_BROKER_PORT: '{{ if eq .Values.celery.broker "redis" }}{{- if ( hasKey .Values.redis "master" ) -}}{{ .Values.redis.master.service.ports.redis }}{{ else }}6379{{ end }}{{- end -}}'
+  DD_CELERY_BROKER_HOST: {{ template "redis.hostname" . }}
+  DD_CELERY_BROKER_PORT: '{{ .Values.valkey.service.port }}'
   DD_CELERY_BROKER_PARAMS: '{{ .Values.redisParams | default $defaultBrokerParams }}'
   DD_CELERY_BROKER_PATH: '{{ .Values.celery.path | default "//" }}'
   DD_CELERY_LOG_LEVEL: {{ .Values.celery.logLevel }}

helm/defectdojo/templates/django-deployment.yaml

@@ -199,10 +199,8 @@ spec:
         - name: DD_CELERY_BROKER_PASSWORD
           valueFrom:
             secretKeyRef:
-            {{- if eq .Values.celery.broker "redis" }}
-              name: {{ .Values.redis.auth.existingSecret | default "defectdojo-redis-specific" }}
-              key: {{ .Values.redis.auth.existingSecretPasswordKey | default "redis-password" }}
-            {{- end }}
+              name: {{ .Values.valkey.auth.existingSecret | default "defectdojo-valkey-specific" }}
+              key: {{ .Values.valkey.auth.existingSecretPasswordKey | default "valkey-password" }}
         {{- if .Values.django.uwsgi.enableDebug }}
         - name: DD_DEBUG
           value: 'True'

helm/defectdojo/templates/secret-redis.yaml → helm/defectdojo/templates/secret-valkey.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.createRedisSecret -}}
+{{- if .Values.createValkeySecret -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -19,13 +19,18 @@ metadata:
     {{- range $key, $value := .Values.extraLabels }}
     {{ $key }}: {{ quote $value }}
     {{- end }}
-  name: {{ .Values.redis.auth.existingSecret }}
+  name: {{ .Values.valkey.auth.existingSecret }}
   namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-{{- if .Values.redis.auth.password }}
-  {{ .Values.redis.auth.existingSecretPasswordKey }}: {{ .Values.redis.auth.password | b64enc | quote }}
+{{- if .Values.valkey.auth.password }}
+  {{ .Values.valkey.auth.existingSecretPasswordKey }}: {{ .Values.valkey.auth.password | b64enc | quote }}
 {{- else }}
-  {{ .Values.redis.auth.existingSecretPasswordKey }}: {{ randAlphaNum 10 | b64enc | quote }}
+  {{ .Values.valkey.auth.existingSecretPasswordKey }}: {{ randAlphaNum 10 | b64enc | quote }}
+{{- end }}
 {{- end }}
+
+---
+{{- if .Values.createRedisSecret -}}
+{{- fail "Error: 'createRedisSecret' value is not supported anymore. Because of license reason, DefectDojo migrated to Valkey. Use 'createValkeySecret' instead. To be sure that you Redis is migrated to Valkey correctly, please follow release notes." }}
 {{- end }}