Skip to content

Feat: Add HPA & PDB Helm Chart Support #13391 #13512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

Feat: Add HPA & PDB Helm Chart Support #13391 #13512

wants to merge 3 commits into from

Conversation

@carlosmt86
Copy link

@carlosmt86 carlosmt86 commented Oct 23, 2025
edited
Loading

Fixes: #13391

⚠️ Pre-Approval check ⚠️

We don't want to waste your time, so if you're unsure whether your hypothetical enhancement meets the criteria for approval, please file an issue to get pre-approval before beginning work on a PR.
Learn more here: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md#submission-pre-approval

Description

Describe the feature / bug fix implemented by this PR.
If this is a new parser, the parser guide may be worth (re)reading.

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is flake8 compliant.
  • Your code is python 3.12 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

  • Import Scans (for new scanners/importers)
  • enhancement
  • performance
  • feature
  • bugfix
  • maintenance (a.k.a chores)
  • dependencies
  • New Migration (when the PR introduces a DB migration)
  • settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev
  • Replace pick by fixup on the commits you want squashed out
  • Replace pick by reword on the first commit if you want to change the commit message
  • Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

@github-actions github-actions bot added the helm label Oct 23, 2025
@carlosmt86 carlosmt86 force-pushed the feat/chart_hpa_pdb_13391 branch 5 times, most recently from 59e977a to 6ad7153 Compare October 23, 2025 14:31
@github-actions github-actions bot added the docs label Oct 23, 2025
@carlosmt86 carlosmt86 force-pushed the feat/chart_hpa_pdb_13391 branch from 6ad7153 to a12e4c1 Compare October 23, 2025 14:47
@Maffooch Maffooch requested review from kiblik and rossops October 23, 2025 16:47
@carlosmt86 carlosmt86 force-pushed the feat/chart_hpa_pdb_13391 branch 2 times, most recently from b402cbc to 8916e76 Compare October 24, 2025 08:02
@valentijnscholten valentijnscholten added this to the 2.52.0 milestone Oct 24, 2025
@carlosmt86
feat(helm): add HPA and PDB support for Django and Celery Beat
feeec15 
- Add PodDisruptionBudget for Django pods
- Add HorizontalPodAutoscaler for Django pods
- Add PodDisruptionBudget for Celery Beat pods
- Add HorizontalPodAutoscaler for Celery Beat pods
- All resources default to disabled (enabled: false)
- Configurable via values.yaml

Fixes DefectDojo#13391
@carlosmt86 carlosmt86 force-pushed the feat/chart_hpa_pdb_13391 branch from 8916e76 to feeec15 Compare October 24, 2025 09:57
rossops
rossops reviewed Oct 24, 2025
View reviewed changes
rossops
rossops reviewed Oct 24, 2025
View reviewed changes
rossops
rossops reviewed Oct 24, 2025
View reviewed changes
rossops
rossops reviewed Oct 24, 2025
View reviewed changes
rossops
rossops reviewed Oct 24, 2025
View reviewed changes
rossops
rossops reviewed Oct 24, 2025
View reviewed changes
rossops
rossops reviewed Oct 24, 2025
View reviewed changes
@rossops
Copy link
Collaborator

rossops commented Oct 24, 2025

We should also strongly consider adding terminationGracePeriodSeconds to the django and definitely the celery-worker deployments with higher than the default 30(s) value. Using the default scale down behavior may not leave enough time for those jobs to finish after getting SIGTERM. I'd recommend 60 for django and 300 for celery-worker (largely based on my own usage).

kiblik
kiblik reviewed Oct 24, 2025
View reviewed changes
Copy link
Contributor

@kiblik kiblik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fully agree with @rossops's comments

@kiblik kiblik mentioned this pull request Oct 24, 2025
Merged
@dryrunsecurity
Copy link

DryRun Security

This pull request exposes the Celery worker PodDisruptionBudget spec to uncontrolled configuration injection by rendering the entire .Values.celery.worker.podDisruptionBudget with toYaml while allowing arbitrary additional properties in values.schema.json; an attacker who can supply Helm values could add or change fields (e.g., maxUnavailable, minAvailable) to prevent legitimate disruptions or disable protections, causing maintenance disruptions or outages.

Uncontrolled Configuration Injection in helm/defectdojo/templates/celery-worker-pdb.yaml
Vulnerability Uncontrolled Configuration Injection
Description The Helm chart for Celery worker Pod Disruption Budget (PDB) uses toYaml on the .Values.celery.worker.podDisruptionBudget object to construct the PDB's spec. While the enabled field is omitted, the remaining fields (minAvailable, unhealthyPodEvictionPolicy) are directly exposed. More critically, because podDisruptionBudget is defined as a generic object in values.schema.json with additionalProperties: true, an attacker can inject arbitrary fields into the PDB spec. This allows an attacker with control over Helm values to introduce fields like maxUnavailable: 0, effectively preventing any voluntary disruptions (e.g., node maintenance, upgrades) for the Celery worker pods, leading to a denial of service for cluster operations or making the application unavailable during necessary maintenance. Conversely, they could set minAvailable: 0 or maxUnavailable: 100% on a single-replica deployment, negating the PDB's purpose and risking service outages during disruptions.

django-DefectDojo/helm/defectdojo/templates/celery-worker-pdb.yaml

Lines 30 to 31 in 4544224

{{ toYaml (omit .Values.celery.worker.podDisruptionBudget "enabled" ) | indent 2 }}
{{- end }}

All finding details can be found in the DryRun Security Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kiblik kiblik kiblik left review comments

@rossops rossops rossops left review comments

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

docs helm

Projects

None yet

Milestone

2.52.0

Development

Successfully merging this pull request may close these issues.

4 participants

@carlosmt86 @rossops @kiblik @valentijnscholten