feat(helm): add Gateway API HTTPRoute and External Secrets Operator support#14985
feat(helm): add Gateway API HTTPRoute and External Secrets Operator support#14985jonasschultheiss wants to merge 3 commits into
Conversation
…upport Add HTTPRoute template as an alternative to the classic Ingress resource for users running Kubernetes Gateway API controllers. The template supports parentRefs, hostnames, flexible match rules with filters, and automatically selects port 80/443 based on the existing nginx TLS configuration. Add ExternalSecret template for integrating with the External Secrets Operator (ESO), allowing users to sync secrets from external stores (e.g. HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) instead of managing them directly in Helm values or Kubernetes Secrets. Both features are disabled by default and fully opt-in.
|
@jonasschultheiss Please make PRs against the For details, see: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md |
|
@mtesauro i've updated the base branch |
|
The list-item dash - is attached to the matches block, not the rule itself: Gateway API makes matches optional (an omitted matches defaults to path-prefix /), so a catch-all rule — e.g. rules: [{filters: [...]}] or rules: [{}] — is valid input. But without .matches, no dash is emitted and rules renders as a map instead of a list: helm template accepts this silently, but kubectl apply rejects it against the HTTPRoute CRD (rules must be an array). With multiple match-less rules you'd also get duplicate backendRefs/filters keys. The fix is to emit the - unconditionally per rule and hang matches/filters/backendRefs off it, e.g.: |
Summary
django-httproute.yamltemplate as an alternative to the classic Ingress resource for users running Kubernetes Gateway API controllers (e.g. Envoy Gateway, Istio, Cilium). Configured viadjango.httpRoutevalues. Disabled by default.external-secret.yamltemplate for syncing secrets from external stores (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc.) via the External Secrets Operator. Configured viaexternalSecretvalues. Disabled by default.Motivation
HTTPRoute: The Kubernetes Gateway API (
gateway.networking.k8s.io/v1) is now GA and increasingly adopted. This allows users who have moved to Gateway API to use DefectDojo natively without maintaining separate HTTPRoute manifests. Related: #14667External Secrets: Many production deployments avoid storing secrets in Helm values or manually-created Kubernetes Secrets. ESO is the standard solution for syncing secrets from external vaults. Adding first-class support makes DefectDojo easier to deploy securely.
Changes
helm/defectdojo/templates/django-httproute.yamlhelm/defectdojo/templates/external-secret.yamlhelm/defectdojo/values.yamldjango.httpRouteandexternalSecretvalue blocksHTTPRoute details
django.httpRoute.enabled(defaultfalse)parentRefs,hostnames, and flexibleruleswithmatchesandfiltersdjango.nginx.tls.enabledextraLabels,extraAnnotations)Example values:
ExternalSecret details
externalSecret.enabled(defaultfalse)external-secrets.io/v1APItargetSecretNamecontrols the name of the Kubernetes Secret created by ESOExample values:
Test plan
helm lint helm/defectdojopasseshelm templatewith httpRoute enabled renders a validgateway.networking.k8s.io/v1 HTTPRoutewith correct service name and porthelm templatewithdjango.nginx.tls.enabled=truecorrectly selects port 443helm templatewith externalSecret enabled renders a validexternal-secrets.io/v1 ExternalSecrethelm templatewith default values produces neither HTTPRoute nor ExternalSecret resources