Feat: Add HPA & PDB Helm Chart Support #13391

[carlosmt86]

Fixes: #13391

⚠️ Pre-Approval check ⚠️

We don't want to waste your time, so if you're unsure whether your hypothetical enhancement meets the criteria for approval, please file an issue to get pre-approval before beginning work on a PR.
Learn more here: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md#submission-pre-approval

Description

Describe the feature / bug fix implemented by this PR.
If this is a new parser, the parser guide may be worth (re)reading.

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.12 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

• Import Scans (for new scanners/importers)
• enhancement
• performance
• feature
• bugfix
• maintenance (a.k.a chores)
• dependencies
• New Migration (when the PR introduces a DB migration)
• settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev

• Replace pick by fixup on the commits you want squashed out
• Replace pick by reword on the first commit if you want to change the commit message
• Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

[rossops]

We should also strongly consider adding terminationGracePeriodSeconds to the django and definitely the celery-worker deployments with higher than the default 30(s) value. Using the default scale down behavior may not leave enough time for those jobs to finish after getting SIGTERM. I'd recommend 60 for django and 300 for celery-worker (largely based on my own usage).

[kiblik]

Fully agree with @rossops's comments

[dryrunsecurity]

This pull request introduces an uncontrolled configuration injection risk: the Celery worker PodDisruptionBudget Helm template renders .Values.celery.worker.podDisruptionBudget via toYaml without schema-enforced additionalProperties: false, allowing arbitrary values to be injected into the PDB spec (which could enable attackers to make the PDB overly restrictive or permissive and cause denial-of-service of cluster operations).

Uncontrolled Configuration Injection in helm/defectdojo/templates/celery-worker-pdb.yaml

Vulnerability

Uncontrolled Configuration Injection

Description

The Helm chart for the Celery worker Pod Disruption Budget (PDB) uses toYaml on .Values.celery.worker.podDisruptionBudget. The values.schema.json for this object does not explicitly set additionalProperties: false, which means that any arbitrary key-value pairs provided by a user in the Helm values for celery.worker.podDisruptionBudget will be rendered directly into the Kubernetes PodDisruptionBudget spec. This allows an attacker with control over Helm values to inject arbitrary fields into the PDB spec, potentially leading to a denial of service for cluster operations by making the PDB too restrictive (e.g., maxUnavailable: 0) or negating its purpose by making it too permissive.

django-DefectDojo/helm/defectdojo/templates/celery-worker-pdb.yaml

Lines 30 to 31 in 98da46a

	{{ toYaml (omit .Values.celery.worker.podDisruptionBudget "enabled" ) | indent 2 }}
	{{- end }}

---

All finding details can be found in the DryRun Security Dashboard.

[kiblik]

A couple of small questions/suggestions (see comments).
Plus, can you add a description to https://github.com/DefectDojo/django-DefectDojo/blob/dev/helm/defectdojo/Chart.yaml#L37 (it will fix the linter).
The rest looks good to me.

[kiblik]

Is there any reason not to use with here?

[kiblik]

Shorter version: ....autoscaling.behavior might be better

[kiblik]

Same (with)

[kiblik]

Same (....autoscaling.behavior)