Install DefectDojoβοΈ
Inspect the main steps to perform for installing DefectDojo via Helm Chart.
Info
It is also possible to install DefectDojo using the EDP addons approach. For details, please refer to the EDP addons approach.
PrerequisitesβοΈ
InstallationβοΈ
Info
Please refer to the DefectDojo Helm Chart and Deploy DefectDojo into the Kubernetes cluster sections for details.
To install DefectDojo, follow the steps below:
-
Check that a security namespace is created. If not, run the following command to create it:
For the OpenShift users:
When using the OpenShift platform, install the
SecurityContextConstraintsresource. In case of using a custom namespace fordefectdojo, change the namespace in theuserssection.defectdojo-scc.yaml
allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 allowedFlexVolumes: [] defaultAddCapabilities: [] fsGroup: type: MustRunAs ranges: - min: 999 max: 65543 groups: [] kind: SecurityContextConstraints metadata: annotations: "helm.sh/hook": "pre-install" name: defectdojo priority: 1 readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - MKNOD - SETUID - SETGID runAsUser: type: MustRunAsRange uidRangeMin: 1 uidRangeMax: 65543 seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:defectdojo:defectdojo - system:serviceaccount:defectdojo:defectdojo-rabbitmq - system:serviceaccount:defectdojo:default volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret -
Add a chart repository:
-
Create PostgreSQL admin secret:
kubectl -n defectdojo create secret generic defectdojo-postgresql-specific \ --from-literal=postgresql-password=<postgresql_password> \ --from-literal=postgresql-postgres-password=<postgresql_postgres_password>Note
The
postgresql_passwordandpostgresql_postgres_passwordpasswords must be 16 characters long. -
Create Rabbitmq admin secret:
kubectl -n defectdojo create secret generic defectdojo-rabbitmq-specific \ --from-literal=rabbitmq-password=<rabbitmq_password> \ --from-literal=rabbitmq-erlang-cookie=<rabbitmq_erlang_cookie>Note
The
rabbitmq_passwordpassword must be 10 characters long.The
rabbitmq_erlang_cookiepassword must be 32 characters long. -
Create DefectDojo admin secret:
kubectl -n defectdojo create secret generic defectdojo \ --from-literal=DD_ADMIN_PASSWORD=<dd_admin_password> \ --from-literal=DD_SECRET_KEY=<dd_secret_key> \ --from-literal=DD_CREDENTIAL_AES_256_KEY=<dd_credential_aes_256_key> \ --from-literal=METRICS_HTTP_AUTH_PASSWORD=<metric_http_auth_password>Note
The
dd_admin_passwordpassword must be 22 characters long.The
dd_secret_keypassword must be 128 characters long.The
dd_credential_aes_256_keypassword must be 128 characters long.The
metric_http_auth_passwordpassword must be 32 characters long. -
Install DefectDojo v.2.22.4 using defectdojo/defectdojo Helm chart v.1.6.69:
helm upgrade --install \ defectdojo \ --version 1.6.69 \ defectdojo/defectdojo \ --namespace defectdojo \ --values values.yamlCheck out the values.yaml file sample of the DefectDojo customization:
View: values.yaml
tag: 2.22.4 fullnameOverride: defectdojo host: defectdojo.<ROOT_DOMAIN> site_url: https://defectdojo.<ROOT_DOMAIN> alternativeHosts: - defectdojo-django.defectdojo initializer: # should be false after initial installation was performed run: true django: ingress: enabled: true # change to 'false' for OpenShift activateTLS: false uwsgi: livenessProbe: # Enable liveness checks on uwsgi container. Those values are use on nginx readiness checks as well. # default value is 120, so in our case 20 is just fine initialDelaySeconds: 20 -
For the OpenShift platform, install a Route:
View: defectdojo-route.yaml
ConfigurationβοΈ
To prepare DefectDojo for integration with EDP, follow the steps below:
-
Create ci user in DefectDojo UI:
- Login to DefectDojo UI using admin credentials:
- Go to User section
- Create new user with write permission:
DefectDojo set user permission
-
Get a token of the DefectDojo user:
- Login to the DefectDojo UI using the credentials from previous steps.
- Go to the API v2 key (token).
- Copy the API key.
-
Provision the secret using
EDP Portal,Manifestor with theexternalSecretsoperator:
Go to EDP Portal -> EDP -> Configuration -> DefectDojo. Update or fill in the URL and Token and click the Save button.
Store defectdojo URL and Token in AWS Parameter Store with following format:
Go to EDP Portal -> EDP -> Configuration -> DefectDojo and see theManaged by External Secret message. More details about the External Secrets Operator integration procedure can be found in the External Secrets Operator Integration page.
After following the instructions provided, you should be able to integrate your DefectDojo with the EPAM Delivery Platform using one of the few available scenarios.