feat(helm): Add secret annotations

[al-cheb]

Description

Allow adding annotations to secret resources.

E.g.: A Kubernetes mutating webhook that makes direct secret injection using annotations - https://bank-vaults.dev/docs/mutating-webhook/annotations/

[dryrunsecurity]

DryRun Security Summary

A pull request adds optional secret annotations to DefectDojo's Helm chart templates while introducing potential security considerations around annotation injection, external dependencies, insecure resource fetching, and password generation methods.

Expand for full summary

The pull request adds optional secret annotations to multiple Helm chart templates for DefectDojo, allowing dynamic metadata configuration across various secret resources. Security findings include:

1. Annotation Injection Potential: Multiple files (extra-secret.yaml, secret-postgresql-ha-pgpool.yaml, secret-postgresql-ha.yaml, secret-postgresql.yaml, secret.yaml, secret-redis.yaml) allow arbitrary annotation injection without validation, which could expose sensitive metadata or enable configuration manipulation.

2. External Dependency Risks: The Chart.yaml file uses external Bitnami chart repositories, which could potentially introduce unknown security risks.

3. Insecure Resource Fetching: Chart.yaml uses an HTTP (not HTTPS) icon URL, which is a potential security concern for resource integrity.

4. Weak Password Generation: Several secret templates use randAlphaNum with limited character lengths (10-16 characters), which might not meet robust password complexity requirements.

No critical vulnerabilities were identified, but careful annotation and configuration validation is recommended.

Code Analysis

We ran 9 analyzers against 8 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.