defectdojo
| Field |
Value |
| Service |
defectdojo |
| Purpose |
Vulnerability management platform and findings intake portal |
| Criticality |
Tier 2 |
| Owner |
Platform / Security owner |
| Clusters |
homelab |
| Namespace |
defectdojo |
| Exposure |
internet |
| Stateful |
yes |
| Backup class |
snapshot |
| RPO / RTO |
Daily backup target, 4 to 8 hours to restore |
| Last reviewed |
2026-05-23 |
1. Service Overview
DefectDojo provides the web UI, API, and background workers used to centralize vulnerability findings and security workflows.
Summary
If it fails, operators lose access to the findings portal, scan ingestion, and background processing for imports and notifications.
Dependencies
| Dependency |
Type |
Why it matters |
| PostgreSQL |
database |
Stores users, findings, products, and application state |
| Valkey |
broker / cache |
Required by celery workers and async processing |
| Traefik |
ingress |
Exposes the HTTPS route |
Kustomize-generated Secret defectdojo |
runtime secret |
Provides bootstrap admin password and Django runtime secrets |
2. Architecture Diagram
[Browser / API client]
-> [Traefik]
-> [DefectDojo nginx]
-> [DefectDojo uwsgi]
-> [PostgreSQL]
-> [Valkey]
-> [Celery worker / beat]
3. Deployment Specifications
| Item |
Value |
| Source path |
defectdojo/base and defectdojo/overlays/homelab |
| Deployment model |
Fleet Helm release plus Kustomize overlay resources |
| Namespace |
defectdojo |
| Workload kind |
Deployment, StatefulSets, and bootstrap Job |
| Chart or image version |
Helm chart defectdojo 1.9.28 |
| Config files |
base/kustomization.yaml, overlays/homelab/kustomization.yaml, overlays/homelab/values.yaml, fleet.yaml |
Cluster mapping
| Cluster |
Overlay path |
Notes |
| homelab |
defectdojo/overlays/homelab |
Primary homelab deployment |
4. Configuration Guide
Environment variables
| Variable |
Source |
Purpose |
Secret? |
| DD_ADMIN_PASSWORD |
overlays/homelab/.defectdojo-secrets.env -> Secret defectdojo |
Initial superuser password at first bootstrap |
yes |
| DD_SECRET_KEY |
overlays/homelab/.defectdojo-secrets.env -> Secret defectdojo |
Django signing and session security |
yes |
| DD_CREDENTIAL_AES_256_KEY |
overlays/homelab/.defectdojo-secrets.env -> Secret defectdojo |
Encryption key for stored credentials |
yes |
| DD_CSRF_TRUSTED_ORIGINS |
overlays/homelab/values.yaml |
Trust the external HTTPS origin |
no |
ConfigMaps
| Resource |
Path |
Purpose |
| Helm-generated DefectDojo config |
defectdojo/overlays/homelab/values.yaml |
Runtime settings, URL, replicas, probes, and resources |
Secrets management
- Secret names:
defectdojo, defectdojo-postgresql-specific, and defectdojo-valkey-specific.
- Source of truth: local
.env inputs under defectdojo/overlays/homelab plus generated Kustomize Secret objects.
- Bootstrap guard: the initializer Job now has a required
secretKeyRef for DD_ADMIN_PASSWORD so first boot fails fast if the Secret is missing, instead of generating a random password.
- Recovery note: if the first bootstrap already ran without the expected password, use the runbook to reset
dojo-admin or create a replacement superuser.
5. Access Protocols
| Path |
URL or endpoint |
Audience |
Auth |
TLS terminates at |
| Internal |
Services inside the defectdojo namespace |
Cluster workloads |
namespace RBAC |
nginx / service |
| External |
https://defectdojo.home.mutana.fr |
Operators and security users |
DefectDojo auth |
Traefik |
6. Operations and Observability
- Primary health indicators:
defectdojo-django ready, initializer Job completed, login page reachable, and PostgreSQL plus Valkey healthy.
- Dashboards or alerts: shared cluster monitoring and ingress health.
- Log locations:
uwsgi, nginx, initializer Job, celery worker, celery beat, PostgreSQL, and Valkey logs.
- Known failure modes: missing bootstrap secret, OOM on
uwsgi, PVC attachment problems, or ingress / CSRF misconfiguration.
7. Backup and Recovery Notes
- Backup method: PostgreSQL backup plus media PVC snapshot.
- Restore prerequisites: database state, runtime secrets, and media PVC if user-uploaded files matter.
- Related runbook: ../runbooks/defectdojo.md
8. Release and Change Notes
- Current deployed app version: see the upstream chart appVersion for defectdojo 1.9.28.
- Current chart version: 1.9.28.
- Last significant change: bootstrap hardened so the initializer waits for
DD_ADMIN_PASSWORD instead of falling back to a random password.
- Rollback reference: previous Git revision of defectdojo/overlays/homelab and defectdojo/fleet.yaml.