Skip to content

Commit

Permalink
feat: add SA connector template
Browse files Browse the repository at this point in the history
* Update examples
* Move templates to directories
  • Loading branch information
ialejandro committed Aug 27, 2024
1 parent ab310e3 commit 1a3c0eb
Show file tree
Hide file tree
Showing 9 changed files with 236 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,10 @@ connectors:
- name: alienvault
enabled: true
replicas: 1
image: {}
serviceAccount:
create: true
name: ci-sa
automountServiceAccountToken: true
deploymentAnnotations:
ci: "true"
podAnnotations:
Expand Down
75 changes: 75 additions & 0 deletions charts/opencti/ci/ci-secrets-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
replicaCount: 1
fullnameOverride: opencti-ci

secrets:
OPENCTI_TOKEN: my-ci-cd

env:
APP__ADMIN__EMAIL: [email protected]
APP__ADMIN__PASSWORD: test
APP__ADMIN__TOKEN: b1976749-8a53-4f49-bf04-cafa2a3458c1
APP__BASE_PATH: "/"
APP__HEALTH_ACCESS_KEY: f93747ff-2ea1-4717-900c-9df20b8e4429
APP__TELEMETRY__METRICS__ENABLED: true
APP__GRAPHQL__PLAYGROUND__ENABLED: false
APP__GRAPHQL__PLAYGROUND__FORCE_DISABLED_INTROSPECTION: false
ELASTICSEARCH__ENGINE_SELECTOR: elk
ELASTICSEARCH__URL: http://opencti-ci-elasticsearch:9200
MINIO__ENDPOINT: opencti-ci-minio
RABBITMQ__HOSTNAME: opencti-ci-rabbitmq
RABBITMQ__PASSWORD: ChangeMe
RABBITMQ__PORT_MANAGEMENT: 15672
RABBITMQ__PORT: 5672
RABBITMQ__USERNAME: user
REDIS__HOSTNAME: opencti-ci-redis-master
REDIS__MODE: single
REDIS__PORT: 6379

testConnection: false

envFromSecrets:
OPENCTI_TOKEN:
name: opencti-ci-credentials
key: OPENCTI_TOKEN

connectors:
- name: alienvault
enabled: true
replicas: 1
env:
OPENCTI_TOKEN: "issue-token"
# envFromSecrets:
# OPENCTI_TOKEN:
# name: opencti-ci-credentials
# key: OPENCTI_TOKEN


serviceMonitor:
enabled: false

autoscaling:
enabled: true

worker:
enabled: true

autoscaling:
enabled: true

elasticsearch:
fullnameOverride: opencti-ci-elasticsearch
master:
resourcesPreset: "medium"
data:
resourcesPreset: "medium"

minio:
fullnameOverride: opencti-ci-minio

rabbitmq:
fullnameOverride: opencti-ci-rabbitmq
auth:
erlangCookie: b25c953e-2193-4b8e-9f3b-9a3a5ba76d75

redis:
fullnameOverride: opencti-ci-redis
131 changes: 126 additions & 5 deletions charts/opencti/docs/examples.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# Examples

## Global: create secrets
## Global

### Manage secrets

Use `secrets` to create secrets to reference with `envFromSecrets`. By default the secret is created in the same namespace of the release.

Expand Down Expand Up @@ -29,7 +31,9 @@ Can reference the secret using `envFromSecrets` in any (is the same `Secret` for
> [!NOTE]
> A suggestion to facilitate the management of secrets is to use prefixes. For example, for connector secrets save `CONNECTOR_MISP_MY_SECRET` to reference `MISP` connector.

## Server: health checks
## Server

### Enable health checks

Enable `testConnection` to check if the service is reachable.

Expand Down Expand Up @@ -106,7 +110,7 @@ Output:
- 'RETRY=0; until [ $RETRY -eq 30 ]; do nc -zv opencti-ci-redis-master 6379 && break; echo "[$RETRY/30] waiting service opencti-ci-redis-master:6379 is ready"; sleep 5; RETRY=$(($RETRY + 1)); done'
```

## Server: configure OpenID
### Configure OpenID

```yaml
env:
Expand All @@ -126,7 +130,9 @@ env:
PROVIDERS__OPENID__STRATEGY: "OpenIDConnectStrategy"
```

## Connector: sample complete
## Connector

### Sample complete

```yaml
connectors:
Expand All @@ -136,6 +142,8 @@ connectors:
replicas: 1
image:
repository: opencti/connector-misp
serviceAccount:
create: true
env:
CONNECTOR_CONFIDENCE_LEVEL: "XXXX"
CONNECTOR_ID: "XXXX"
Expand Down Expand Up @@ -168,7 +176,7 @@ connectors:
memory: 128Mi
```

You can config which node to run the connector using nodeSelector and tolerations.
You can config which node to run the connector using `nodeSelector` and `tolerations`.

```yaml
connector:
Expand Down Expand Up @@ -199,3 +207,116 @@ Or you can use affinity to run the connector in different node if you increase r
- sample-misp
topologyKey: kubernetes.io/hostname
```

### Configure image

You can configure default `image` to run the connector or use default `image`.

If you don't set `image` block, by default use `opencti/<name-connector>:<Chart.AppVersion>`.

```yaml
connectors:
- name: sample-misp
enabled: true
replicas: 1
...
```

This config use default image: `opencti/sample-misp:6.2.18`

You can configure `repository` and `tag` to use a custom image.

```yaml
connectors:
- name: sample-misp
enabled: true
replicas: 1
image:
repository: my-private-repo/connector-misp-sample
tag: "6.2.15"
...
```

Now, this config set an image: `my-private-repo/connector-misp-sample:6.2.15`

### Configure serviceAccount

You can configure default `serviceAccount` to run the connector or use a custom `serviceAccount`. Following code, create a `serviceAccount` named `test` to run the connector.

```yaml
...
connectors:
- name: sample-misp
enabled: true
replicas: 1
serviceAccount:
create: true
name: test
automountServiceAccountToken: true # false by default
```

Result:

```yaml
# Source: opencti/templates/connector/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: test
labels:
opencti.connector: sample-misp
...
automountServiceAccountToken: true
--
# Source: opencti/templates/connector/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: sample-misp-connector-opencti
...
spec:
...
template:
...
spec:
serviceAccountName: test
```

If you want use default `name` (`<name-connector>-connector-<release-name>`) you can use `create: true` only.

```yaml
...
connectors:
- name: sample-misp
enabled: true
replicas: 1
serviceAccount:
create: true
```

Result:

```yaml
# Source: opencti/templates/connector/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: sample-misp-connector-opencti
labels:
opencti.connector: splunk
...
automountServiceAccountToken: true
--
# Source: opencti/templates/connector/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: sample-misp-connector-opencti
...
spec:
...
template:
...
spec:
serviceAccountName: sample-misp-connector-opencti
```
15 changes: 6 additions & 9 deletions charts/opencti/templates/connector/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,20 +43,17 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .serviceAccount }}
serviceAccountName: {{ if and .serviceAccount (hasKey .serviceAccount "name") }}{{ .serviceAccount.name }}{{ else }}{{ $connectorName }}-connector-{{ include "opencti.fullname" $ }}{{ end }}
{{- end }}
securityContext:
{{- toYaml .podSecurityContext | nindent 8 }}
containers:
- name: {{ $connectorName }}-connector
securityContext:
{{- toYaml .securityContext | nindent 12 }}
{{- if .image.repository }}
image: "{{ .image.repository }}:{{ .image.tag | default $.Chart.AppVersion }}"
{{- else if $.Values.global.imageRegistry }}
image: "{{ printf "%s/opencti/%s" $.Values.global.imageRegistry .name }}:{{ .image.tag | default $.Chart.AppVersion }}"
{{- else }}
image: "{{ printf "opencti/%s" .name }}:{{ .image.tag | default $.Chart.AppVersion }}"
{{- end }}
imagePullPolicy: {{ .image.pullPolicy | default "IfNotPresent" }}
image: "{{- if and .image (hasKey .image "repository") }}{{ .image.repository }}{{- else if $.Values.global.imageRegistry }}{{ printf "%s/opencti/%s" $.Values.global.imageRegistry .name }}{{- else }}{{ printf "opencti/%s" .name }}{{- end }}:{{ if and .image (hasKey .image "tag") }}{{ .image.tag | default $.Chart.AppVersion }}{{ else }}{{ $.Chart.AppVersion }}{{ end }}"
imagePullPolicy: {{ if and .image (hasKey .image "pullPolicy") }}{{ .image.pullPolicy }}{{ else }}IfNotPresent{{ end }}
env:
# Variables from secrets have precedence
{{- $envList := dict -}}
Expand All @@ -73,7 +70,7 @@ spec:
{{- end }}

# Special handling for OPENCTI_URL which is constructed from other values
{{- if not (hasKey .env "OPENCTI_URL") }}
{{- if not (hasKey $envList "OPENCTI_URL") }}
{{- if eq $.Values.env.APP__BASE_PATH "/" }}
- name: OPENCTI_URL
value: "http://{{ include "opencti.fullname" $ }}-server:{{ $.Values.service.port }}"
Expand Down
22 changes: 22 additions & 0 deletions charts/opencti/templates/connector/serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- range .Values.connectors }}
{{- $connectorName := .name }}

{{ if and .serviceAccount (hasKey .serviceAccount "create") }}
{{- if .serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ if and .serviceAccount (hasKey .serviceAccount "name") }}{{ .serviceAccount.name }}{{ else }}{{ $connectorName }}-connector-{{ include "opencti.fullname" $ }}{{ end }}
labels:
opencti.connector: {{ $connectorName }}
{{- include "opencti.labels" $ | nindent 4 }}
{{- with .serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .serviceAccount.automountServiceAccountToken | default "false" }}
{{- end }}
{{- end }}

{{- end }}
File renamed without changes.
File renamed without changes.
3 changes: 3 additions & 0 deletions charts/opencti/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,9 @@ connectors: []
# - name: connector-name
# enabled: true
# replicas: 1
# # -- Service Account for connector
# serviceAccount: {}
# create: false
# # -- Image registry
# image: {}
# repository:
Expand Down

0 comments on commit 1a3c0eb

Please sign in to comment.