feat(helm): Use Valkey

[kiblik]

Fix #13323

#13331 was replaced only in docker-compose. This PR replaces it in the HELM chart as well.
Official Valkey HELM charts would require too many customisations; we needed something more developed. https://artifacthub.io/packages/helm/cloudpirates-valkey/valkey supported many fields that are compatible with the previous Bitnami stack.

There are multiple places that are mentioned in release notes.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[Maffooch]

Hi @kiblik the valkey migration is slated for release in the upcoming minor release on November 3rd. The docker compose PR looks ready to roll after your feedback was incorporated. Is there anything left to be implemented in this PR for the helm chart?

[kiblik]

So, my original idea was to replace Bitnami Redis with the official Valkey Helm chart. Unfortunately, this is not fully possible because authN issue.
The official Valkey Helm chart does not support the approach: "This is a password which I generated/prepared for you. Use it". Valkey needs the users.acl file with the full definition of users.
This issue is partially solved in the open PR, but still not fully support "This is a prepared password. Use it."
So we might

• use Valkey chart from Bitnami. But charts and/or Docker images would have to be mirrored (not a good and maintainable solution)
• use CloudPirates chart (comes from the original Bitnami definition, but they keep it nicely maintained)
• use deployment without authN (we might depend on network isolation using NetworkPolicy)
• ???

[kiblik]

I hope migration will be easier, and I did not have enough time to come back to it until now.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[kiblik]

This PR is fully ready for review.

[fernandezcuesta]

@kiblik added some logic and yet another parameter to better isolate the 2 options (external Redis vs Valkey). Rather than that LGTM

[fernandezcuesta]

Suggested change

	{{- /*
	Determine the protocol to use for Redis.
	*/}}
	{{- define "redis.scheme" -}}
	{{- if eq .Values.celery.broker "redis" -}}
	{{- if .Values.redis.tls.enabled -}}
	{{- if .Values.valkey.tls.enabled -}}
	{{- printf "rediss" -}}
	{{- else if .Values.redis.sentinel.enabled -}}
	{{- else if .Values.valkey.sentinel.enabled -}}
	{{- printf "sentinel" -}}
	{{- else -}}
	{{- printf "redis" -}}
	{{- end -}}
	{{- end -}}
	{{- /*
	Determine the default params to use for Redis.
	*/}}
	{{- define "redis.params" -}}
	{{- $redisScheme := template "redis.scheme" . -}}
	{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" (eq "rediss" $redisScheme -}}
	{{- if .Values.valkey.enabled -}}
	{{- default $defaultBrokerParams .Values.valkeyParams -}}
	{{- else -}}
	{{- default $defaultBrokerParams .Values.redisParams -}}
	{{- end -}}
	{{- /*
	Determine the protocol to use for Redis.
	*/}}
	{{- define "redis.scheme" -}}
	{{- if .Values.valkey.enabled -}}
	{{- if .Values.valkey.tls.enabled -}}
	rediss
	{{- else if .Values.valkey.sentinel.enabled -}}
	sentinel
	{{- else -}}
	redis
	{{- end -}}
	{{- else -}}
	{{- .Values.redisScheme -}}
	{{- end -}}
	{{- end -}}

[fernandezcuesta]

Suggested change

	{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" .Values.valkey.tls.enabled -}}
	{{- $redisScheme := template "redis.scheme" . -}}
	{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" (eq "rediss" $redisScheme -}}

[fernandezcuesta]

Suggested change

	redisParams: ""
	# -- Parameters attached to the valkey connection string, defaults to "ssl_cert_reqs=optional" if `valkey.tls.enabled`
	valkeyParams: ""
	#
	# External database support.
	#
	# @schema type:[string, null]
	# -- To use an external Redis instance, set `redis.enabled` to false and set the address here:
	redisServer: ~
	# -- Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redisScheme` is `rediss`
	redisParams: ""
	# -- Define the protocol to use with the external Redis instance
	redisScheme: redis

[fernandezcuesta]

Ideally the scheme and params should be isolated when using an external redis or when opting in for Valkey.

⚠️ didn't tested myself though, but hope the logic is clear

[kiblik]

I like this approach. As it hasn't been tested, I will need more time to do that. I will check it next week.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[sgissi]

So, my original idea was to replace Bitnami Redis with the official Valkey Helm chart. Unfortunately, this is not fully possible because authN issue. The official Valkey Helm chart does not support the approach: "This is a password which I generated/prepared for you. Use it". Valkey needs the users.acl file with the full definition of users. This issue is partially solved in the open PR, but still not fully support "This is a prepared password. Use it." So we might

Hi, I'm one of the Valkey Helm chart maintainers. We have implemented both inline and secret-based passwords in the chart. Note that it currently only supports standalone deployments with replicas coming soon.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

This pull request introduces several security concerns: documentation encourages Helm-generated Valkey secrets without warning, the Valkey Helm chart is sourced from an unverified OCI repo (supply-chain risk), TLS defaults disable proper certificate validation for Celery (ssl_cert_reqs=optional), and the chart generates a relatively weak 10-character alphanumeric Valkey password (~59.5 bits entropy).

Insecure Documentation Examples in helm/defectdojo/README.md.gotmpl

Vulnerability

Insecure Documentation Examples

Description

The documentation examples in README.md.gotmpl consistently use --set createValkeySecret=true in helm install commands. This flag instructs Helm to generate and manage the Valkey secret, which can be less secure for production environments compared to using external secret managers or pre-existing, securely provisioned secrets. The documentation does not provide warnings about the implications of using Helm-generated secrets in production, nor does it guide users towards more secure alternatives that the chart itself supports (e.g., valkey.auth.existingSecret).

django-DefectDojo/helm/defectdojo/README.md.gotmpl

Lines 94 to 100 in 1e709eb

	--set django.ingress.enabled=${DJANGO_INGRESS_ENABLED} \
	--set django.ingress.activateTLS=${DJANGO_INGRESS_ACTIVATE_TLS} \
	--set createSecret=true \
	--set createValkeySecret=true \
	--set createPostgresqlSecret=true
	```

Supply Chain Risk from Unverified Helm Chart in helm/defectdojo/Chart.yaml

Vulnerability

Supply Chain Risk from Unverified Helm Chart

Description

The Helm chart for 'valkey' is sourced from an unverified repository ('oci://registry-1.docker.io/cloudpirates'). There is no evidence to suggest that 'cloudpirates' is a reputable or official publisher for Valkey Helm charts, nor is it associated with the official Valkey project or trusted vendors like Bitnami. This introduces a significant supply chain risk, as the integrity and security of the deployed chart cannot be assured.

django-DefectDojo/helm/defectdojo/Chart.yaml

Lines 18 to 21 in 1e709eb

	repository: "oci://registry-1.docker.io/cloudpirates"
	condition: valkey.enabled
	# For correct syntax, check https://artifacthub.io/docs/topics/annotations/helm/
	# This is example for "artifacthub.io/changes"

Insecure Default TLS Configuration in helm/defectdojo/templates/configmap.yaml

Vulnerability

Insecure Default TLS Configuration

Description

The Helm chart's default configuration for the Celery broker connection to Valkey sets ssl_cert_reqs=optional when TLS is enabled (rediss scheme). This setting disables proper server certificate validation, allowing Man-in-the-Middle (MitM) attacks where an attacker can intercept and potentially tamper with communications without detection. While the chart provides valkeyParams to override this, the default is insecure.

django-DefectDojo/helm/defectdojo/templates/configmap.yaml

Lines 3 to 6 in 1e709eb

	{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" (eq "rediss" $redisScheme) -}}
	apiVersion: v1
	kind: ConfigMap
	metadata:

Weak Password Generation in helm/defectdojo/templates/secret-valkey.yaml

Vulnerability

Weak Password Generation

Description

The Helm chart generates a 10-character alphanumeric password for Valkey using randAlphaNum 10. This results in approximately 59.54 bits of entropy. While there isn't a single universally agreed-upon minimum entropy for all machine-generated secrets, security best practices often recommend higher entropy for long-lived secrets. For instance, OWASP suggests 64 bits of entropy for session IDs, and cryptographic key recommendations can go as high as 112 bits for long-term security. A password with ~59.54 bits of entropy is below these common recommendations, making it potentially vulnerable to offline brute-force attacks if the secret hash is compromised, especially in high-security environments.

django-DefectDojo/helm/defectdojo/templates/secret-valkey.yaml

Lines 33 to 36 in 1e709eb

	{{ .Values.valkey.auth.existingSecretPasswordKey }}: {{ randAlphaNum 10 | b64enc | quote }}
	{{- end }}
	{{- end }}

---

All finding details can be found in the DryRun Security Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.