Description
🐞 Bug report
Describe the bug
I am trying to add a toleration to the DefectDojo persistence provider chart to allow the pods to run on a specific node pool on our GKE cluster.
The feature is described on the website and here in the values file of the chart: https://github.com/secureCodeBox/secureCodeBox/blob/main/hooks/persistence-defectdojo/values.yaml#L35
However in the chart yaml template the tolerations are not configured: https://github.com/secureCodeBox/secureCodeBox/blob/main/hooks/persistence-defectdojo/templates/persistence-provider.yaml
So it seems to me that the helm value is not used at all, which I am able find with my setup.
I am using Helm + Terraform to install the chart like this:
resource "helm_release" "securecodebox-defectdojo" {
name = "securecodebox-defectdojo"
repository = "https://charts.securecodebox.io"
chart = "persistence-defectdojo"
namespace = kubernetes_namespace_v1.securecodebox.metadata[0].name
version = "4.0.1"
values = [
<<-EOF
hook:
tolerations:
- key: "instance_type"
value: "preemptible"
effect: "NoSchedule"
EOF
]
}
After a scan finishes I will find the pod in a Pending state unable to be schedule to a node.
The relevant part here is: "{instance_type: preemptible}" since I manually tainted the other nodes to test this
Warning FailedScheduling 37m default-scheduler 0/4 nodes are available: 1 node(s) had untolerated taint {instance_type: preemptible}, 1 node(s) had untolerated taint {jenkins-agent: true}, 2 node(s) had untolerated taint {key1: value1}. preemption: 0/4 nodes are available: 4 Preemption is not helpful for scheduling.
Steps To Reproduce
Steps to reproduce the behavior:
- Install the Helm chart for the defectdojo hook
- Configure a node pool with a toleration
- Configure the hook.tolerations value to represent the configured node toleration
- See the error in the persistence pod event log
Expected behavior
I expect the hook tolerations to be passed down to the pod, just like it is done with the scanners.
For example the Nikto parser pod: https://github.com/secureCodeBox/secureCodeBox/blob/main/scanners/nikto/templates/nikto-parse-definition.yaml#L19
System (please complete the following information):
- secureCodeBox 4.0.1
- OS: Linux
- Kubernetes Version: v1.24.14-gke.2700
- Docker Version: N/A
- Browser: N/A
Additional context
In cluster hook config:
k get scancompletionhooks.execution.securecodebox.io securecodebox-defectdojo-persistence-defectdojo -o yaml
apiVersion: execution.securecodebox.io/v1
kind: ScanCompletionHook
metadata:
annotations:
meta.helm.sh/release-name: securecodebox-defectdojo
meta.helm.sh/release-namespace: securecodebox
creationTimestamp: "2023-09-13T12:21:03Z"
generation: 3
labels:
app.kubernetes.io/instance: securecodebox-defectdojo
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: persistence-defectdojo
app.kubernetes.io/version: 1.12.0
helm.sh/chart: persistence-defectdojo-4.0.1
type: Unstructured
name: securecodebox-defectdojo-persistence-defectdojo
namespace: securecodebox
resourceVersion: "925699149"
uid: 71af55eb-5123-48b0-b11f-c1d3863b20dc
spec:
env:
- name: DEFECTDOJO_URL
value: REDACTED
- name: DEFECTDOJO_USERNAME
valueFrom:
secretKeyRef:
key: username
name: defectdojo-scanner-user-credentials
- name: DEFECTDOJO_APIKEY
valueFrom:
secretKeyRef:
key: apikey
name: defectdojo-scanner-user-credentials
- name: DEFECTDOJO_LOW_PRIVILEGED_MODE
value: "false"
image: docker.io/securecodebox/hook-persistence-defectdojo:4.0.1
imagePullPolicy: IfNotPresent
priority: 0
resources:
limits:
memory: 500Mi
ttlSecondsAfterFinished: null
type: ReadAndWrite
Metadata
Metadata
Assignees
Labels
Type
Projects
Status