feat(helm): add Gateway API HTTPRoute and External Secrets Operator support

[jonasschultheiss]

Summary

• HTTPRoute support: Adds a django-httproute.yaml template as an alternative to the classic Ingress resource for users running Kubernetes Gateway API controllers (e.g. Envoy Gateway, Istio, Cilium). Configured via django.httpRoute values. Disabled by default.
• External Secrets Operator (ESO) support: Adds an external-secret.yaml template for syncing secrets from external stores (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc.) via the External Secrets Operator. Configured via externalSecret values. Disabled by default.

Motivation

HTTPRoute: The Kubernetes Gateway API (gateway.networking.k8s.io/v1) is now GA and increasingly adopted. This allows users who have moved to Gateway API to use DefectDojo natively without maintaining separate HTTPRoute manifests. Related: #14667

External Secrets: Many production deployments avoid storing secrets in Helm values or manually-created Kubernetes Secrets. ESO is the standard solution for syncing secrets from external vaults. Adding first-class support makes DefectDojo easier to deploy securely.

Changes

File	Change
helm/defectdojo/templates/django-httproute.yaml	New HTTPRoute template
helm/defectdojo/templates/external-secret.yaml	New ExternalSecret template
helm/defectdojo/values.yaml	Added django.httpRoute and externalSecret value blocks

HTTPRoute details

• Gated by django.httpRoute.enabled (default false)
• Supports parentRefs, hostnames, and flexible rules with matches and filters
• Automatically selects port 80 or 443 based on django.nginx.tls.enabled
• Follows DefectDojo's existing labeling and annotation patterns (extraLabels, extraAnnotations)
• Can be used alongside or instead of the existing Ingress

Example values:

django:
  httpRoute:
    enabled: true
    parentRefs:
      - name: my-gateway
        namespace: default
    hostnames:
      - defectdojo.example.com
    rules:
      - matches:
          - path:
              type: PathPrefix
              value: /

ExternalSecret details

• Gated by externalSecret.enabled (default false)
• Uses the stable external-secrets.io/v1 API
• Supports any SecretStore/ClusterSecretStore provider
• targetSecretName controls the name of the Kubernetes Secret created by ESO

Example values:

externalSecret:
  enabled: true
  refreshInterval: 30m
  secretStoreRef:
    name: my-vault-store
    kind: ClusterSecretStore
  targetSecretName: defectdojo
  data:
    - secretKey: DD_ADMIN_PASSWORD
      remoteRef:
        key: defectdojo/admin
        property: password
    - secretKey: DD_SECRET_KEY
      remoteRef:
        key: defectdojo/app
        property: secret-key

Test plan

• helm lint helm/defectdojo passes
• helm template with httpRoute enabled renders a valid gateway.networking.k8s.io/v1 HTTPRoute with correct service name and port
• helm template with django.nginx.tls.enabled=true correctly selects port 443
• helm template with externalSecret enabled renders a valid external-secrets.io/v1 ExternalSecret
• helm template with default values produces neither HTTPRoute nor ExternalSecret resources

[mtesauro]

@jonasschultheiss Please make PRs against the dev branch. We don't accept PRs against main/master.

For details, see: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md

[jonasschultheiss]

@mtesauro i've updated the base branch