feat(helm): Use Valkey

Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>

Author: renovate[bot]

.github/workflows/k8s-tests.yml

@@ -73,8 +73,8 @@ jobs:
                --set images.nginx.image.tag=latest \
                --set imagePullPolicy=Never \
                --set initializer.keepSeconds="-1" \
-               --set redis.enabled=true \
-               --set createRedisSecret=true \
+               --set valkey.enabled=true \
+               --set createValkeySecret=true \
                --set postgresql.enabled=true \
                --set createPostgresqlSecret=true \
                --set createSecret=true

docs/content/en/open_source/upgrading/2.53.md

@@ -2,36 +2,68 @@
 title: 'Upgrading to DefectDojo Version 2.53.x'
 toc_hide: true
 weight: -20251103
-description: Helm chart changes
-
+description: "Helm chart: changes for initializer annotations + Replaced Redis with Valkey + HPA & PDB support"
 ---
 
 ## Helm Chart Changes
 
-This release introduces an important change to the Helm chart configuration for the initializer job and support for HPA and PDB.
+- This release introduces an important change to the Helm chart configuration for the initializer job.
+- DefectDojo `2.52.0` replaced Redis with Valkey in `docker-compose` deployment. DefectDojo `2.53.0` (chart `1.9.0`) is replacing it in HELM charts.
+- Add support for HPA and PDB
 
-### New values
+#### HPA & PDA
 
 Added Helm chart support for Celery and Django deployments for Horizontal Pod Autoscaler using `.autoscaling` fields under each section. And Pod Disruption Budget using `.podDisruptionBudget` for any of Celery Beat/Worker or Django deploy
 
 ### Breaking changes
 
+#### Valkey 
+
+##### Renamed values 
+
+HELM values had been changed to the following:
+- `createRedisSecret` → `createValkeySecret` (`createRedisSecret` is still in place to be able to correctly show error message, but it will be removed in the future)
+- `redis.enabled` → `valkey.enabled`
+- `redis.auth.existingSecret` → `valkey.auth.existingSecret`, plus value is pointing to secret `defectdojo-valkey-specific` now
+- `redis.auth.existingSecretPasswordKey` → `valkey.auth.existingSecretPasswordKey`, plus value is pointing to secret `valkey-password` now
+- `redis.auth.password` → `valkey.auth.password`
+- `redis.master.service.ports.redis` → `valkey.service.port`
+- `redis.sentinel...` → `valkey.sentinel...`
+- `redis.tls...` → `valkey.tls...`
+
+The whole subchart is based on [`cloudpirates-valkey`](https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey), so all additional values can be found there.
+
+##### How to migrate to Valkey
+
+0. As always, perform a backup of your instance
+1. If you would like to be 100% sure that you do not miss any async event (triggered deduplication, email notification, ...) it is recommended to perform the following substeps (if your system is not in production and/or you are willing to miss some notifications or postpone deduplication to a later time, feel free to skip these substeps)
+   0. Perform the following steps with your previous version of HELM chart (not with the upgraded one - you might lose your data)
+   1. Downscale all producers of async tasks: 
+      - Set `django.replicas` to 0 (if you used HPA, adjust it based on your needs)
+      - Set `celery.beat.replicas` to 0 (if you used HPA, adjust it based on your needs)
+      - Do not change `celery.worker.replicas` (they are responsible for processing your async tasks)
+   2. Wait until the processing queue is empty (choose one of the following methods):
+      - ``kubectl exec statefulset/defectdojo-redis-master -c redis -- redis-cli -a `kubectl get secret defectdojo-redis-specific -o go-template='{{index .data "redis-password" | base64decode}}'` llen celery`` -- should output 0 (if your HELM chart used a different name, adjust the command based on your environment)
+      - `kubectl logs deployment/defectdojo-celery-worker -c celery --all-pods=true --follow` -- should stop outputting new task logs
+2. Replace values based on the _Renamed values_ part, update the chart version, and set the number of replicas back. Be aware that Valkey is using a password from the new location, and if you use `createRedisSecret`/`createValkeySecret` password will be regenerated. If you stored this password somewhere else, it will not be valid anymore.
+3. Enjoy DefectDojo
+
 #### Initializer Annotation Handling
 
 - **Renamed initializer annotations**: The `initializer.annotations` field has been renamed to `initializer.podAnnotations` for clarity and consistency with other DefectDojo resources.
 - **Merged annotation support**: Global `extraAnnotations` are now automatically merged with the initializer's `podAnnotations` to ensure consistent annotation handling across all resources.
 
 > The previous implementation did not merge global `extraAnnotations` with the initializer job's pod annotations, causing inconsistencies in annotation management.
 
-#### Moved values
+##### Moved values
 
 The following Helm chart values have been modified in this release:
 
 - `initializer.annotations` → `initializer.podAnnotations` (applies to Pod template metadata within the Job)
 
 Note: `initializer.jobAnnotations` affects the Job spec metadata, while `initializer.podAnnotations` affects the Pod template metadata within the Job.
 
-#### Migration
+##### Migration
 
 If you were using:
 
@@ -54,3 +86,5 @@ Both `extraAnnotations` and `initializer.podAnnotations` will now be properly ap
 ## Reimport updates fields fix_available and fix_version
 
 Reimport will update existing findings `fix_available` and `fix_version` fields based on the incoming scan report.
+
+There are other special instructions for upgrading to 2.53.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.53.0) for the contents of the release.

helm/defectdojo/Chart.lock

@@ -2,8 +2,8 @@ dependencies:
 - name: postgresql
   repository: oci://us-docker.pkg.dev/os-public-container-registry/defectdojo
   version: 16.7.27
-- name: redis
-  repository: oci://us-docker.pkg.dev/os-public-container-registry/defectdojo
-  version: 19.6.4
-digest: sha256:b22ad615baaa104a188c735f74ddddaec83b698315bb82f722679f762be64b50
-generated: "2025-08-27T11:22:22.13669-05:00"
+- name: valkey
+  repository: oci://registry-1.docker.io/cloudpirates
+  version: 0.10.0
+digest: sha256:f94f835d7d5306e5848a0bcca5db52db6c69cf9e355f75a65d8cf3f51b89f8d0
+generated: "2025-11-13T13:59:38.540395+01:00"

helm/defectdojo/Chart.yaml

@@ -13,10 +13,10 @@ dependencies:
     version: ~16.7.0
     repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo"
     condition: postgresql.enabled
-  - name: redis
-    version: ~19.6.4
-    repository: "oci://us-docker.pkg.dev/os-public-container-registry/defectdojo"
-    condition: redis.enabled
+  - name: valkey
+    version: ~0.10.0
+    repository: "oci://registry-1.docker.io/cloudpirates"
+    condition: valkey.enabled
 # For correct syntax, check https://artifacthub.io/docs/topics/annotations/helm/
 # This is example for "artifacthub.io/changes"
 # artifacthub.io/changes: |
@@ -39,3 +39,5 @@ annotations:
       description: Added HPA and PDB for celery worker and Django
     - kind: fixed
       description: extraAnnotations spec doesn't affect initializer job
+    - kind: changed
+      description: Replace Redis with Valkey

helm/defectdojo/README.md

@@ -94,7 +94,7 @@ helm install \
   --set django.ingress.enabled=${DJANGO_INGRESS_ENABLED} \
   --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 ```
 
@@ -280,10 +280,10 @@ helm install \
   --set host="defectdojo.${TLS_CERT_DOMAIN}" \
   --set django.ingress.secretName="minikube-tls" \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
-# For high availability deploy multiple instances of Django, Celery and Redis
+# For high availability deploy multiple instances of Django, Celery and Valkey
 helm install \
   defectdojo \
   ./helm/defectdojo \
@@ -292,9 +292,10 @@ helm install \
   --set django.ingress.secretName="minikube-tls" \
   --set django.replicas=3 \
   --set celery.worker.replicas=3 \
-  --set redis.replicas=3 \
+  --set valkey.architecture=replication \
+  --set valkey.replicaCount=3 \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
 # Run highly available PostgreSQL cluster
@@ -306,13 +307,14 @@ helm install \
   --set host="defectdojo.${TLS_CERT_DOMAIN}" \
   --set django.replicas=3 \
   --set celery.worker.replicas=3 \
-  --set redis.replicas=3 \
+  --set valkey.architecture=replication \
+  --set valkey.replicaCount=3 \
   --set django.ingress.secretName="minikube-tls" \
   --set postgresql.enabled=true \
   --set postgresql.replication.enabled=true \
   --set postgresql.replication.slaveReplicas=3 \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
 # Note: If you run `helm install defectdojo before, you will get an error
@@ -359,16 +361,13 @@ You will still need to set a host value as well.
 
 If you want to use a redis-sentinel setup as the Celery broker, you will need to set the following.
 
-1. Set redis.scheme to "sentinel" in values.yaml
+1. Set valkey.scheme to "sentinel" in values.yaml
 2. Set two additional extraEnv vars specifying the sentinel master name and port in values.yaml
 
 ```yaml
-celery:
-  broker: 'redis'
-
-redis:
-  redisServer: 'PutYourRedisSentinelAddress'
+valkey:
   scheme: 'sentinel'
+redisServer: 'PutYourRedisSentinelAddress'
 
 extraEnv:
   - name: DD_CELERY_BROKER_TRANSPORT_OPTIONS
@@ -451,10 +450,10 @@ extraEnv:
 
 #### Step 4: Deploy DefectDojo
 
-After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Redis:
+After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Valkey:
 
 ```bash
-helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createRedisSecret=true
+helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createValkeySecret=true
 ```
 
 **NOTE**: It is important to highlight that this setup can also be utilized for achieving high availability (HA) in PostgreSQL. By placing a load balancer in front of the PostgreSQL cluster, read and write requests can be efficiently routed to the appropriate primary or standby servers as needed.
@@ -526,8 +525,8 @@ A Helm chart for Kubernetes to install DefectDojo
 
 | Repository | Name | Version |
 |------------|------|---------|
+| oci://registry-1.docker.io/cloudpirates | valkey | ~0.10.0 |
 | oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | postgresql | ~16.7.0 |
-| oci://us-docker.pkg.dev/os-public-container-registry/defectdojo | redis | ~19.6.4 |
 
 ## Values
 
@@ -564,7 +563,6 @@ A Helm chart for Kubernetes to install DefectDojo
 | celery.beat.resources.requests.memory | string | `"128Mi"` |  |
 | celery.beat.startupProbe | object | `{}` | Enable startup probe for Celery beat container. |
 | celery.beat.tolerations | list | `[]` |  |
-| celery.broker | string | `"redis"` |  |
 | celery.logLevel | string | `"INFO"` |  |
 | celery.worker.affinity | object | `{}` |  |
 | celery.worker.annotations | object | `{}` | Annotations for the Celery worker deployment. |
@@ -603,8 +601,8 @@ A Helm chart for Kubernetes to install DefectDojo
 | cloudsql.use_private_ip | bool | `false` | whether to use a private IP to connect to the database |
 | cloudsql.verbose | bool | `true` | By default, the proxy has verbose logging. Set this to false to make it less verbose |
 | createPostgresqlSecret | bool | `false` | create postgresql secret in defectdojo chart, outside of postgresql chart |
-| createRedisSecret | bool | `false` | create redis secret in defectdojo chart, outside of redis chart |
 | createSecret | bool | `false` | create defectdojo specific secret |
+| createValkeySecret | bool | `false` | create valkey secret in defectdojo chart, outside of valkey chart |
 | dbMigrationChecker.containerSecurityContext | object | `{}` | Container security context for the DB migration checker. |
 | dbMigrationChecker.enabled | bool | `true` | Enable/disable the DB migration checker. |
 | dbMigrationChecker.extraEnv | list | `[]` | Additional environment variables for DB migration checker. |
@@ -750,10 +748,7 @@ A Helm chart for Kubernetes to install DefectDojo
 | postgresql.primary.podSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC |
 | postgresql.primary.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
 | postgresql.volumePermissions.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above |
-| redis | object | `{"architecture":"standalone","auth":{"existingSecret":"defectdojo-redis-specific","existingSecretPasswordKey":"redis-password","password":""},"enabled":true,"sentinel":{"enabled":false},"tls":{"enabled":false}}` | For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/redis |
-| redis.enabled | bool | `true` | To use an external instance, switch enabled to `false`` and set the address in `redisServer` below |
-| redis.tls.enabled | bool | `false` | If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates from an existing secret. |
-| redisParams | string | `""` | Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redis.tls.enabled` |
+| redisParams | string | `""` | Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `valkey.tls.enabled` |
 | redisServer | string | `nil` | To use an external Redis instance, set `redis.enabled` to false and set the address here: |
 | revisionHistoryLimit | int | `10` | Allow overriding of revisionHistoryLimit across all deployments. |
 | secrets.annotations | object | `{}` | Add annotations for secret resources |
@@ -770,6 +765,10 @@ A Helm chart for Kubernetes to install DefectDojo
 | tests.unitTests.resources.requests.cpu | string | `"100m"` |  |
 | tests.unitTests.resources.requests.memory | string | `"128Mi"` |  |
 | trackConfig | string | `"disabled"` | Track configuration (trackConfig): will automatically respin application pods in case of config changes detection can be: 1. disabled (default) 2. enabled, enables tracking configuration changes based on SHA256 |
+| valkey | object | `{"auth":{"existingSecret":"defectdojo-valkey-specific","existingSecretPasswordKey":"valkey-password","password":""},"enabled":true,"sentinel":{"enabled":false},"service":{"port":6379},"tls":{"enabled":false}}` | For more advance options check the bitnami chart documentation: https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey |
+| valkey.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `redisServer` below |
+| valkey.service | object | `{"port":6379}` | To use a different port for Redis (default: 6379) |
+| valkey.tls.enabled | bool | `false` | If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates from an existing secret. |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

helm/defectdojo/README.md.gotmpl

@@ -94,7 +94,7 @@ helm install \
   --set django.ingress.enabled=${DJANGO_INGRESS_ENABLED} \
   --set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 ```
 
@@ -280,10 +280,10 @@ helm install \
   --set host="defectdojo.${TLS_CERT_DOMAIN}" \
   --set django.ingress.secretName="minikube-tls" \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
-# For high availability deploy multiple instances of Django, Celery and Redis
+# For high availability deploy multiple instances of Django, Celery and Valkey
 helm install \
   defectdojo \
   ./helm/defectdojo \
@@ -292,9 +292,10 @@ helm install \
   --set django.ingress.secretName="minikube-tls" \
   --set django.replicas=3 \
   --set celery.worker.replicas=3 \
-  --set redis.replicas=3 \
+  --set valkey.architecture=replication \
+  --set valkey.replicaCount=3 \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
 # Run highly available PostgreSQL cluster
@@ -306,13 +307,14 @@ helm install \
   --set host="defectdojo.${TLS_CERT_DOMAIN}" \
   --set django.replicas=3 \
   --set celery.worker.replicas=3 \
-  --set redis.replicas=3 \
+  --set valkey.architecture=replication \
+  --set valkey.replicaCount=3 \
   --set django.ingress.secretName="minikube-tls" \
   --set postgresql.enabled=true \
   --set postgresql.replication.enabled=true \
   --set postgresql.replication.slaveReplicas=3 \
   --set createSecret=true \
-  --set createRedisSecret=true \
+  --set createValkeySecret=true \
   --set createPostgresqlSecret=true
 
 # Note: If you run `helm install defectdojo before, you will get an error
@@ -359,16 +361,13 @@ You will still need to set a host value as well.
 
 If you want to use a redis-sentinel setup as the Celery broker, you will need to set the following.
 
-1. Set redis.scheme to "sentinel" in values.yaml
+1. Set valkey.scheme to "sentinel" in values.yaml
 2. Set two additional extraEnv vars specifying the sentinel master name and port in values.yaml
 
 ```yaml
-celery:
-  broker: 'redis'
-
-redis:
-  redisServer: 'PutYourRedisSentinelAddress'
+valkey:
   scheme: 'sentinel'
+redisServer: 'PutYourRedisSentinelAddress'
 
 extraEnv:
   - name: DD_CELERY_BROKER_TRANSPORT_OPTIONS
@@ -451,10 +450,10 @@ extraEnv:
 
 #### Step 4: Deploy DefectDojo
 
-After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Redis:
+After modifying the `values.yaml` file as needed, deploy DefectDojo using Helm. This command also generates the required secrets for the DefectDojo admin UI and Valkey:
 
 ```bash
-helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createRedisSecret=true
+helm install defectdojo defectdojo -f values.yaml -n defectdojo --set createSecret=true --set createValkeySecret=true
 ```
 
 

helm/defectdojo/templates/_helpers.tpl

@@ -58,29 +58,25 @@
 {{- end -}}
 
 {{- define "redis.hostname" -}}
-{{- if eq .Values.celery.broker "redis" -}}
-{{- if .Values.redis.enabled -}}
-{{- printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" -}}
+{{- if .Values.valkey.enabled -}}
+{{- printf "%s-%s" .Release.Name "valkey" | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- .Values.redisServer | default "127.0.0.1" | quote -}}
 {{- end -}}
 {{- end -}}
-{{- end -}}
 
 {{- /*
   Determine the protocol to use for Redis.
 */}}
 {{- define "redis.scheme" -}}
-{{- if eq .Values.celery.broker "redis" -}}
-{{- if .Values.redis.tls.enabled -}}
+{{- if .Values.valkey.tls.enabled -}}
 {{- printf "rediss" -}}
-{{- else if .Values.redis.sentinel.enabled -}}
+{{- else if .Values.valkey.sentinel.enabled -}}
 {{- printf "sentinel" -}}
 {{- else -}}
 {{- printf "redis" -}}
 {{- end -}}
 {{- end -}}
-{{- end -}}
 
 {{- /*
   Builds the repository names for use with local or private registries