From 1a3c0ebf5ead73aa6ec680d248e9374cb4c05443 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Alejandro=20Marug=C3=A1n?= Date: Tue, 27 Aug 2024 15:17:38 +0200 Subject: [PATCH] feat: add SA connector template * Update examples * Move templates to directories --- .../{ci-values.yaml => ci-common-values.yaml} | 5 +- charts/opencti/ci/ci-secrets-values.yaml | 75 ++++++++++ charts/opencti/docs/examples.md | 131 +++++++++++++++++- .../templates/connector/deployment.yaml | 15 +- .../templates/connector/serviceaccount.yaml | 22 +++ .../templates/{ => server}/ingress.yaml | 0 .../templates/{ => server}/secret.yaml | 0 .../{ => server}/serviceaccount.yaml | 0 charts/opencti/values.yaml | 3 + 9 files changed, 236 insertions(+), 15 deletions(-) rename charts/opencti/ci/{ci-values.yaml => ci-common-values.yaml} (95%) create mode 100644 charts/opencti/ci/ci-secrets-values.yaml create mode 100644 charts/opencti/templates/connector/serviceaccount.yaml rename charts/opencti/templates/{ => server}/ingress.yaml (100%) rename charts/opencti/templates/{ => server}/secret.yaml (100%) rename charts/opencti/templates/{ => server}/serviceaccount.yaml (100%) diff --git a/charts/opencti/ci/ci-values.yaml b/charts/opencti/ci/ci-common-values.yaml similarity index 95% rename from charts/opencti/ci/ci-values.yaml rename to charts/opencti/ci/ci-common-values.yaml index 9eca0ab..58a7f3c 100644 --- a/charts/opencti/ci/ci-values.yaml +++ b/charts/opencti/ci/ci-common-values.yaml @@ -28,7 +28,10 @@ connectors: - name: alienvault enabled: true replicas: 1 - image: {} + serviceAccount: + create: true + name: ci-sa + automountServiceAccountToken: true deploymentAnnotations: ci: "true" podAnnotations: diff --git a/charts/opencti/ci/ci-secrets-values.yaml b/charts/opencti/ci/ci-secrets-values.yaml new file mode 100644 index 0000000..0d77836 --- /dev/null +++ b/charts/opencti/ci/ci-secrets-values.yaml @@ -0,0 +1,75 @@ +replicaCount: 1 +fullnameOverride: opencti-ci + +secrets: + OPENCTI_TOKEN: my-ci-cd + +env: + APP__ADMIN__EMAIL: admin@opencti.io + APP__ADMIN__PASSWORD: test + APP__ADMIN__TOKEN: b1976749-8a53-4f49-bf04-cafa2a3458c1 + APP__BASE_PATH: "/" + APP__HEALTH_ACCESS_KEY: f93747ff-2ea1-4717-900c-9df20b8e4429 + APP__TELEMETRY__METRICS__ENABLED: true + APP__GRAPHQL__PLAYGROUND__ENABLED: false + APP__GRAPHQL__PLAYGROUND__FORCE_DISABLED_INTROSPECTION: false + ELASTICSEARCH__ENGINE_SELECTOR: elk + ELASTICSEARCH__URL: http://opencti-ci-elasticsearch:9200 + MINIO__ENDPOINT: opencti-ci-minio + RABBITMQ__HOSTNAME: opencti-ci-rabbitmq + RABBITMQ__PASSWORD: ChangeMe + RABBITMQ__PORT_MANAGEMENT: 15672 + RABBITMQ__PORT: 5672 + RABBITMQ__USERNAME: user + REDIS__HOSTNAME: opencti-ci-redis-master + REDIS__MODE: single + REDIS__PORT: 6379 + +testConnection: false + +envFromSecrets: + OPENCTI_TOKEN: + name: opencti-ci-credentials + key: OPENCTI_TOKEN + +connectors: +- name: alienvault + enabled: true + replicas: 1 + env: + OPENCTI_TOKEN: "issue-token" + # envFromSecrets: + # OPENCTI_TOKEN: + # name: opencti-ci-credentials + # key: OPENCTI_TOKEN + + +serviceMonitor: + enabled: false + +autoscaling: + enabled: true + +worker: + enabled: true + + autoscaling: + enabled: true + +elasticsearch: + fullnameOverride: opencti-ci-elasticsearch + master: + resourcesPreset: "medium" + data: + resourcesPreset: "medium" + +minio: + fullnameOverride: opencti-ci-minio + +rabbitmq: + fullnameOverride: opencti-ci-rabbitmq + auth: + erlangCookie: b25c953e-2193-4b8e-9f3b-9a3a5ba76d75 + +redis: + fullnameOverride: opencti-ci-redis diff --git a/charts/opencti/docs/examples.md b/charts/opencti/docs/examples.md index 57e9645..3e5f981 100644 --- a/charts/opencti/docs/examples.md +++ b/charts/opencti/docs/examples.md @@ -1,6 +1,8 @@ # Examples -## Global: create secrets +## Global + +### Manage secrets Use `secrets` to create secrets to reference with `envFromSecrets`. By default the secret is created in the same namespace of the release. @@ -29,7 +31,9 @@ Can reference the secret using `envFromSecrets` in any (is the same `Secret` for > [!NOTE] > A suggestion to facilitate the management of secrets is to use prefixes. For example, for connector secrets save `CONNECTOR_MISP_MY_SECRET` to reference `MISP` connector. -## Server: health checks +## Server + +### Enable health checks Enable `testConnection` to check if the service is reachable. @@ -106,7 +110,7 @@ Output: - 'RETRY=0; until [ $RETRY -eq 30 ]; do nc -zv opencti-ci-redis-master 6379 && break; echo "[$RETRY/30] waiting service opencti-ci-redis-master:6379 is ready"; sleep 5; RETRY=$(($RETRY + 1)); done' ``` -## Server: configure OpenID +### Configure OpenID ```yaml env: @@ -126,7 +130,9 @@ env: PROVIDERS__OPENID__STRATEGY: "OpenIDConnectStrategy" ``` -## Connector: sample complete +## Connector + +### Sample complete ```yaml connectors: @@ -136,6 +142,8 @@ connectors: replicas: 1 image: repository: opencti/connector-misp + serviceAccount: + create: true env: CONNECTOR_CONFIDENCE_LEVEL: "XXXX" CONNECTOR_ID: "XXXX" @@ -168,7 +176,7 @@ connectors: memory: 128Mi ``` -You can config which node to run the connector using nodeSelector and tolerations. +You can config which node to run the connector using `nodeSelector` and `tolerations`. ```yaml connector: @@ -199,3 +207,116 @@ Or you can use affinity to run the connector in different node if you increase r - sample-misp topologyKey: kubernetes.io/hostname ``` + +### Configure image + +You can configure default `image` to run the connector or use default `image`. + +If you don't set `image` block, by default use `opencti/:`. + +```yaml +connectors: +- name: sample-misp + enabled: true + replicas: 1 + ... +``` + +This config use default image: `opencti/sample-misp:6.2.18` + +You can configure `repository` and `tag` to use a custom image. + +```yaml +connectors: +- name: sample-misp + enabled: true + replicas: 1 + image: + repository: my-private-repo/connector-misp-sample + tag: "6.2.15" + ... +``` + +Now, this config set an image: `my-private-repo/connector-misp-sample:6.2.15` + +### Configure serviceAccount + +You can configure default `serviceAccount` to run the connector or use a custom `serviceAccount`. Following code, create a `serviceAccount` named `test` to run the connector. + +```yaml +... +connectors: +- name: sample-misp + enabled: true + replicas: 1 + serviceAccount: + create: true + name: test + automountServiceAccountToken: true # false by default +``` + +Result: + +```yaml +# Source: opencti/templates/connector/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test + labels: + opencti.connector: sample-misp + ... +automountServiceAccountToken: true +-- +# Source: opencti/templates/connector/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sample-misp-connector-opencti + ... +spec: + ... + template: + ... + spec: + serviceAccountName: test +``` + +If you want use default `name` (`-connector-`) you can use `create: true` only. + +```yaml +... +connectors: +- name: sample-misp + enabled: true + replicas: 1 + serviceAccount: + create: true +``` + +Result: + +```yaml +# Source: opencti/templates/connector/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sample-misp-connector-opencti + labels: + opencti.connector: splunk + ... +automountServiceAccountToken: true +-- +# Source: opencti/templates/connector/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sample-misp-connector-opencti + ... +spec: + ... + template: + ... + spec: + serviceAccountName: sample-misp-connector-opencti +``` diff --git a/charts/opencti/templates/connector/deployment.yaml b/charts/opencti/templates/connector/deployment.yaml index f1fce58..63e5c34 100644 --- a/charts/opencti/templates/connector/deployment.yaml +++ b/charts/opencti/templates/connector/deployment.yaml @@ -43,20 +43,17 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} + {{- if .serviceAccount }} + serviceAccountName: {{ if and .serviceAccount (hasKey .serviceAccount "name") }}{{ .serviceAccount.name }}{{ else }}{{ $connectorName }}-connector-{{ include "opencti.fullname" $ }}{{ end }} + {{- end }} securityContext: {{- toYaml .podSecurityContext | nindent 8 }} containers: - name: {{ $connectorName }}-connector securityContext: {{- toYaml .securityContext | nindent 12 }} - {{- if .image.repository }} - image: "{{ .image.repository }}:{{ .image.tag | default $.Chart.AppVersion }}" - {{- else if $.Values.global.imageRegistry }} - image: "{{ printf "%s/opencti/%s" $.Values.global.imageRegistry .name }}:{{ .image.tag | default $.Chart.AppVersion }}" - {{- else }} - image: "{{ printf "opencti/%s" .name }}:{{ .image.tag | default $.Chart.AppVersion }}" - {{- end }} - imagePullPolicy: {{ .image.pullPolicy | default "IfNotPresent" }} + image: "{{- if and .image (hasKey .image "repository") }}{{ .image.repository }}{{- else if $.Values.global.imageRegistry }}{{ printf "%s/opencti/%s" $.Values.global.imageRegistry .name }}{{- else }}{{ printf "opencti/%s" .name }}{{- end }}:{{ if and .image (hasKey .image "tag") }}{{ .image.tag | default $.Chart.AppVersion }}{{ else }}{{ $.Chart.AppVersion }}{{ end }}" + imagePullPolicy: {{ if and .image (hasKey .image "pullPolicy") }}{{ .image.pullPolicy }}{{ else }}IfNotPresent{{ end }} env: # Variables from secrets have precedence {{- $envList := dict -}} @@ -73,7 +70,7 @@ spec: {{- end }} # Special handling for OPENCTI_URL which is constructed from other values - {{- if not (hasKey .env "OPENCTI_URL") }} + {{- if not (hasKey $envList "OPENCTI_URL") }} {{- if eq $.Values.env.APP__BASE_PATH "/" }} - name: OPENCTI_URL value: "http://{{ include "opencti.fullname" $ }}-server:{{ $.Values.service.port }}" diff --git a/charts/opencti/templates/connector/serviceaccount.yaml b/charts/opencti/templates/connector/serviceaccount.yaml new file mode 100644 index 0000000..b692e07 --- /dev/null +++ b/charts/opencti/templates/connector/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- range .Values.connectors }} +{{- $connectorName := .name }} + +{{ if and .serviceAccount (hasKey .serviceAccount "create") }} +{{- if .serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ if and .serviceAccount (hasKey .serviceAccount "name") }}{{ .serviceAccount.name }}{{ else }}{{ $connectorName }}-connector-{{ include "opencti.fullname" $ }}{{ end }} + labels: + opencti.connector: {{ $connectorName }} + {{- include "opencti.labels" $ | nindent 4 }} + {{- with .serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .serviceAccount.automountServiceAccountToken | default "false" }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/opencti/templates/ingress.yaml b/charts/opencti/templates/server/ingress.yaml similarity index 100% rename from charts/opencti/templates/ingress.yaml rename to charts/opencti/templates/server/ingress.yaml diff --git a/charts/opencti/templates/secret.yaml b/charts/opencti/templates/server/secret.yaml similarity index 100% rename from charts/opencti/templates/secret.yaml rename to charts/opencti/templates/server/secret.yaml diff --git a/charts/opencti/templates/serviceaccount.yaml b/charts/opencti/templates/server/serviceaccount.yaml similarity index 100% rename from charts/opencti/templates/serviceaccount.yaml rename to charts/opencti/templates/server/serviceaccount.yaml diff --git a/charts/opencti/values.yaml b/charts/opencti/values.yaml index 7e8eed6..9b040f3 100644 --- a/charts/opencti/values.yaml +++ b/charts/opencti/values.yaml @@ -249,6 +249,9 @@ connectors: [] # - name: connector-name # enabled: true # replicas: 1 +# # -- Service Account for connector +# serviceAccount: {} +# create: false # # -- Image registry # image: {} # repository: