diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 18cebba..89526cd 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -13,6 +13,10 @@ jobs: with: fetch-depth: 0 + - name: Configure sysctl for Elasticsearch + run: | + sysctl -w vm.max_map_count=262144 + # default install latest (stable) - name: Set up Helm uses: azure/setup-helm@v4 diff --git a/charts/opencti/README.md b/charts/opencti/README.md index 193540a..f67cd8d 100644 --- a/charts/opencti/README.md +++ b/charts/opencti/README.md @@ -80,17 +80,24 @@ helm show values opencti/opencti | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | +| args | list | `[]` | Configure args
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | | autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage
Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | +| command | list | `[]` | Configure command
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | +| configMaps | list | `[]` | ConfigMap values to create configuration files Generate ConfigMap with following name: -
Ref: https://kubernetes.io/docs/concepts/configuration/configmap/ | | connectors | list | `[]` | Connectors
Ref: https://github.com/OpenCTI-Platform/connectors/tree/master | -| connectorsGlobal | object | `{"env":{},"envFromSecrets":{},"volumeMounts":[],"volumes":[]}` | Connectors Globals | +| connectorsGlobal | object | `{"env":{},"envFromConfigMap":{},"envFromFiles":[],"envFromSecrets":{},"volumeMounts":[],"volumes":[]}` | Connectors global configuration | | connectorsGlobal.env | object | `{}` | Additional environment variables on the output connector definition | -| connectorsGlobal.envFromSecrets | object | `{}` | Secrets from variables | +| connectorsGlobal.envFromConfigMap | object | `{}` | Variables from configMap | +| connectorsGlobal.envFromFiles | list | `[]` | Load all variables from files | +| connectorsGlobal.envFromSecrets | object | `{}` | Variables from secrets | | connectorsGlobal.volumeMounts | list | `[]` | Additional volumeMounts on the output connector Deployment definition | | connectorsGlobal.volumes | list | `[]` | Additional volumes on the output connector Deployment definition | | elasticsearch | object | `{"clusterName":"elastic","coordinating":{"replicaCount":0},"data":{"persistence":{"enabled":false},"replicaCount":1},"enabled":true,"extraEnvVars":[{"name":"ES_JAVA_OPTS","value":"-Xms512M -Xmx512M"}],"ingest":{"enabled":false},"master":{"masterOnly":true,"persistence":{"enabled":false},"replicaCount":1},"sysctlImage":{"enabled":false}}` | ElasticSearch subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/elasticsearch/values.yaml | | elasticsearch.enabled | bool | `true` | Enable or disable ElasticSearch subchart | | env | object | `{"APP__ADMIN__EMAIL":"admin@opencti.io","APP__ADMIN__PASSWORD":"ChangeMe","APP__ADMIN__TOKEN":"ChangeMe","APP__BASE_PATH":"/","APP__GRAPHQL__PLAYGROUND__ENABLED":false,"APP__GRAPHQL__PLAYGROUND__FORCE_DISABLED_INTROSPECTION":false,"APP__HEALTH_ACCESS_KEY":"ChangeMe","APP__TELEMETRY__METRICS__ENABLED":true,"ELASTICSEARCH__URL":"http://release-name-elasticsearch:9200","MINIO__ENDPOINT":"release-name-minio:9000","RABBITMQ__HOSTNAME":"release-name-rabbitmq","RABBITMQ__PASSWORD":"ChangeMe","RABBITMQ__PORT":5672,"RABBITMQ__PORT_MANAGEMENT":15672,"RABBITMQ__USERNAME":"user","REDIS__HOSTNAME":"release-name-redis-master","REDIS__MODE":"single","REDIS__PORT":6379}` | Environment variables to configure application
Ref: https://docs.openbas.io/latest/deployment/configuration/#platform | -| envFromSecrets | object | `{}` | Secrets from variables | +| envFromConfigMap | object | `{}` | Variables from configMap | +| envFromFiles | list | `[]` | Load all variables from files
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables | +| envFromSecrets | object | `{}` | Variables from secrets | | fullnameOverride | string | `""` | String to fully override opencti.fullname template | | global | object | `{"imagePullSecrets":[],"imageRegistry":""}` | Global section contains configuration options that are applied to all services | | global.imagePullSecrets | list | `[]` | Specifies the secrets to use for pulling images from private registries Leave empty if no secrets are required E.g. imagePullSecrets: - name: myRegistryKeySecretName | @@ -101,6 +108,7 @@ helm show values opencti/opencti | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | imagePullSecrets | list | `[]` | Global Docker registry secret names as an array | | ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Ingress configuration to expose app
Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ | +| initContainers | list | `[]` | Configure additional containers
Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ | | lifecycle | object | `{}` | Configure lifecycle hooks
Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
Ref: https://learnk8s.io/graceful-shutdown | | livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":180,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Configure liveness checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | | livenessProbeCustom | object | `{}` | Custom livenessProbe | @@ -133,7 +141,7 @@ helm show values opencti/opencti | redis.enabled | bool | `true` | Enable or disable Redis subchart | | replicaCount | int | `1` | Number of replicas for the service | | resources | object | `{}` | The resources limits and requested
Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | -| secrets | object | `{}` | Secrets values to create credentials and reference by envFromSecrets Generate Secret with following name: `-credentials` | +| secrets | object | `{}` | Secrets values to create credentials and reference by envFromSecrets Generate Secret with following name: `-credentials`
Ref: https://kubernetes.io/docs/concepts/configuration/secret/ | | securityContext | object | `{}` | Defines privilege and access control settings for a Container
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | | service | object | `{"port":80,"targetPort":4000,"type":"ClusterIP"}` | Kubernetes service to expose Pod
Ref: https://kubernetes.io/docs/concepts/services-networking/service/ | | service.port | int | `80` | Kubernetes Service port | @@ -141,7 +149,7 @@ helm show values opencti/opencti | service.type | string | `"ClusterIP"` | Kubernetes Service type. Allowed values: NodePort, LoadBalancer or ClusterIP | | serviceAccount | object | `{"annotations":{},"automountServiceAccountToken":false,"create":true,"name":""}` | Enable creation of ServiceAccount | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.automountServiceAccountToken | bool | `false` | Specifies if you don't want the kubelet to automatically mount a ServiceAccount's API credentials | +| serviceAccount.automountServiceAccountToken | bool | `false` | Specifies if you don't want the kubelet to automatically mount a ServiceAccount API credentials | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template | | serviceMonitor | object | `{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"}` | Enable ServiceMonitor to get metrics
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor | @@ -154,16 +162,22 @@ helm show values opencti/opencti | topologySpreadConstraints | list | `[]` | Control how Pods are spread across your cluster
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#example-multiple-topologyspreadconstraints | | volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition | | volumes | list | `[]` | Additional volumes on the output Deployment definition | -| worker | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"enabled":true,"env":{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true},"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"lifecycle":{},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"nodeSelector":{},"podDisruptionBudget":{"enabled":false,"maxUnavailable":1,"minAvailable":null},"readyChecker":{"enabled":true,"pullPolicy":"IfNotPresent","repository":"busybox","retries":30,"tag":"latest","timeout":5},"replicaCount":1,"resources":{},"serviceMonitor":{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[],"volumeMounts":[],"volumes":[]}` | OpenCTI worker deployment configuration
Ref: https://docs.opencti.io/latest/deployment/overview/#workers | +| worker | object | `{"affinity":{},"args":[],"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"command":[],"configMaps":[],"enabled":true,"env":{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true},"envFromConfigMap":{},"envFromFiles":[],"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"initContainers":[],"lifecycle":{},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"nodeSelector":{},"podDisruptionBudget":{"enabled":false,"maxUnavailable":1,"minAvailable":null},"readyChecker":{"enabled":true,"pullPolicy":"IfNotPresent","repository":"busybox","retries":30,"tag":"latest","timeout":5},"replicaCount":1,"resources":{},"serviceMonitor":{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[],"volumeMounts":[],"volumes":[]}` | OpenCTI worker deployment configuration
Ref: https://docs.opencti.io/latest/deployment/overview/#workers | | worker.affinity | object | `{}` | Affinity for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | +| worker.args | list | `[]` | Configure args
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | | worker.autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage
Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | +| worker.command | list | `[]` | Configure command
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | +| worker.configMaps | list | `[]` | ConfigMap values to create configuration files Generate ConfigMap with following name: -
Ref: https://kubernetes.io/docs/concepts/configuration/configmap/ | | worker.enabled | bool | `true` | Enable or disable worker | | worker.env | object | `{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true}` | Environment variables to configure application
Ref: https://docs.opencti.io/latest/deployment/configuration/#platform | -| worker.envFromSecrets | object | `{}` | Secrets from variables | +| worker.envFromConfigMap | object | `{}` | Variables from configMap | +| worker.envFromFiles | list | `[]` | Load all variables from files
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables | +| worker.envFromSecrets | object | `{}` | Variables from secrets | | worker.image | object | `{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""}` | Image registry configuration for the base service | | worker.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the image | | worker.image.repository | string | `"opencti/worker"` | Repository of the image | | worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | +| worker.initContainers | list | `[]` | Configure additional containers
Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ | | worker.lifecycle | object | `{}` | Configure lifecycle hooks
Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
Ref: https://learnk8s.io/graceful-shutdown | | worker.networkPolicy | object | `{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]}` | NetworkPolicy configuration
Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ | | worker.networkPolicy.enabled | bool | `false` | Enable or disable NetworkPolicy | diff --git a/charts/opencti/ci/ci-common-values.yaml b/charts/opencti/ci/ci-common-values.yaml index 716f954..38519e4 100644 --- a/charts/opencti/ci/ci-common-values.yaml +++ b/charts/opencti/ci/ci-common-values.yaml @@ -27,6 +27,11 @@ lifecycle: exec: command: ["sh", "-c", "sleep 10"] +initContainers: + - name: my-container + image: busybox + command: ['sh', '-c', 'echo "Hello, World!"'] + terminationGracePeriodSeconds: 40 networkPolicy: @@ -42,6 +47,13 @@ secrets: APP__ADMIN__TOKEN: "b1976749-8a53-4f49-bf04-cafa2a3458c1" RABBITMQ__PASSWORD: ChangeMe +configMaps: + - name: configmap-name-ci + data: + my.key: > + my-content + my_var: my-value + envFromSecrets: APP__ADMIN__TOKEN: name: opencti-ci-credentials @@ -63,7 +75,7 @@ worker: readyChecker: enabled: true - retries: 40 + retries: 60 timeout: 10 lifecycle: @@ -71,6 +83,26 @@ worker: exec: command: ["sh", "-c", "sleep 10"] + initContainers: + - name: my-container + image: busybox + command: ['sh', '-c', 'echo "Hello, World!"'] + + env: + MY_VARIABLE_WORKER_ENV: my_value + + configMaps: + - name: configmap-name-worker-ci + data: + my.key: > + my-content + my_var_worker: my-value + + envFromConfigMap: + my_var_worker: + name: configmap-name-worker-ci + key: my_var_worker + terminationGracePeriodSeconds: 40 networkPolicy: @@ -87,10 +119,18 @@ worker: topologyKey: kubernetes.io/os whenUnsatisfiable: DoNotSchedule +connectorsGlobal: + env: + MY_VARIABLE_ENV: my_value + connectors: - name: opencti enabled: true replicas: 1 + podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 serviceMonitor: enabled: true interval: 30s @@ -103,7 +143,7 @@ connectors: automountServiceAccountToken: true readyChecker: enabled: true - retries: 40 + retries: 60 timeout: 10 lifecycle: preStop: @@ -123,6 +163,9 @@ connectors: OPENCTI_TOKEN: name: opencti-ci-credentials key: APP__ADMIN__TOKEN + envFromFiles: + - secretRef: + name: opencti-ci-credentials topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/os diff --git a/charts/opencti/templates/connector/deployment.yaml b/charts/opencti/templates/connector/deployment.yaml index 586f975..8169e60 100644 --- a/charts/opencti/templates/connector/deployment.yaml +++ b/charts/opencti/templates/connector/deployment.yaml @@ -48,26 +48,33 @@ spec: {{ if and .readyChecker (hasKey .readyChecker "enabled") }} {{- if .readyChecker.enabled }} initContainers: - - name: ready-checker-server - {{- if $.Values.global.imageRegistry }} - image: "{{ $.Values.global.imageRegistry }}/{{ .readyChecker.image | default "busybox" }}:{{ .readyChecker.tag | default "latest" }}" - {{- else }} - image: {{ .readyChecker.repository | default "busybox" }}:{{ .readyChecker.tag | default "latest" }} - imagePullPolicy: {{ .readyChecker.pullPolicy | default "IfNotPresent" }} + - name: ready-checker-server + {{- if $.Values.global.imageRegistry }} + image: "{{ $.Values.global.imageRegistry }}/{{ .readyChecker.image | default "busybox" }}:{{ .readyChecker.tag | default "latest" }}" + {{- else }} + image: {{ .readyChecker.repository | default "busybox" }}:{{ .readyChecker.tag | default "latest" }} + imagePullPolicy: {{ .readyChecker.pullPolicy | default "IfNotPresent" }} + {{- end }} + command: + - 'sh' + - '-c' + - > + RETRY=0; + until [ $RETRY -eq {{ $.Values.worker.readyChecker.retries }} ]; + do + if nc -zv {{ $.Values.fullnameOverride | default (include "opencti.fullname" $) }}-server {{ $.Values.service.port }}; then + echo "Service {{ $.Values.fullnameOverride | default (include "opencti.fullname" $) }}-server:{{ $.Values.service.port }} is ready"; + exit 0; + fi; + echo "[$RETRY/{{ $.Values.worker.readyChecker.retries }}] waiting service {{ $.Values.fullnameOverride | default (include "opencti.fullname" $) }}-server:{{ $.Values.service.port }} is ready"; + sleep {{ $.Values.worker.readyChecker.timeout }}; + RETRY=$(($RETRY + 1)); + if [ $RETRY -eq {{ $.Values.worker.readyChecker.retries }} ]; then + echo "Service {{ $.Values.fullnameOverride | default (include "opencti.fullname" $) }}-server:{{ $.Values.service.port }} did not become ready after {{ $.Values.worker.readyChecker.retries }} retries"; + exit 1; + fi; + done {{- end }} - command: - - 'sh' - - '-c' - - > - RETRY=0; - until [ $RETRY -eq {{ .readyChecker.retries }} ]; - do - nc -zv {{ $.Values.fullnameOverride | default (include "opencti.fullname" $) }}-server {{ $.Values.service.port }} && break; - echo "[$RETRY/{{ .readyChecker.retries }}] waiting service {{ $.Values.fullnameOverride | default (include "opencti.fullname" $) }}-server:{{ $.Values.service.port }} is ready"; - sleep {{ .readyChecker.timeout }}; - RETRY=$(($RETRY + 1)); - done - {{- end }} {{- end }} containers: - name: {{ $connectorName }}-connector @@ -85,98 +92,135 @@ spec: {{- with .lifecycle }} {{- toYaml . | nindent 12 }} {{- end }} + envFrom: + {{- if .envFromFiles }} + {{- tpl (toYaml .envFromFiles) . | nindent 12 }} + {{- end }} + {{- if $connectorsGlobal.envFromFiles }} + {{- tpl (toYaml $connectorsGlobal.envFromFiles) . | nindent 12 }} + {{- end }} env: - # Variables from secrets have precedence - {{- $envList := dict -}} - # Connector specific env from secrets - {{- if .envFromSecrets }} - {{- range $key, $value := .envFromSecrets }} - - name: {{ $key | upper }} - valueFrom: - secretKeyRef: - name: {{ $value.name }} - key: {{ $value.key | default $key }} - {{- $_ := set $envList $key true }} - {{- end }} - {{- end }} - # Connectors global env from secrets - {{- if $connectorsGlobal.envFromSecret }} - {{- range $key, $value := $connectorsGlobal.envFromSecret }} - {{- if not (hasKey $envList $key) }} - - name: {{ $key | upper }} - valueFrom: - secretKeyRef: - name: {{ $value.name }} - key: {{ $value.key | default $key }} - {{- $_ := set $envList $key true }} - {{- end }} - {{- end }} - {{- end }} - # Add variables in plain text if they were not already added from secrets - {{- if .env }} - {{- range $key, $value := .env }} - {{- if not (hasKey $envList $key) }} - - name: {{ $key | upper }} - value: {{ $value | quote }} - {{- $_ := set $envList $key true }} - {{- end }} - {{- end }} - {{- end }} - # Connectors global env from secrets - {{- if $connectorsGlobal.env }} - {{- range $key, $value := $connectorsGlobal.env }} - {{- if not (hasKey $envList $key) }} - - name: {{ $key | upper }} - value: {{ $value | quote }} - {{- $_ := set $envList $key true }} - {{- end }} - {{- end }} - {{- end }} - # Special handling for OPENCTI_URL which is constructed from other values - {{- if not (hasKey $envList "OPENCTI_URL") }} - {{- if eq $.Values.env.APP__BASE_PATH "/" }} - - name: OPENCTI_URL - value: "http://{{ include "opencti.fullname" $ }}-server:{{ $.Values.service.port }}" - {{- else }} - - name: OPENCTI_URL - value: "http://{{ include "opencti.fullname" $ }}-server:{{ $.Values.service.port }}{{ $.Values.env.APP__BASE_PATH }}" - {{- end }} - {{- end }} - # Special handling for OPENCTI_TOKEN which is constructed from other values - {{- if and (not (hasKey $envList "OPENCTI_TOKEN")) (or ($.Values.secrets.APP__ADMIN__TOKEN) ($.Values.env.APP__ADMIN__TOKEN)) }} - {{- if $.Values.secrets.APP__ADMIN__TOKEN }} - - name: OPENCTI_TOKEN - value: {{ $.Values.secrets.APP__ADMIN__TOKEN }} - {{- else if $.Values.env.APP__ADMIN__TOKEN }} - - name: OPENCTI_TOKEN - value: {{ $.Values.env.APP__ADMIN__TOKEN }} - {{- end }} - {{- end }} + # Variables from secrets have precedence + # Connector specific env from secrets + {{- $envList := dict -}} + {{- if .envFromSecrets }} + {{- range $key, $value := .envFromSecrets }} + - name: {{ $key | upper }} + valueFrom: + secretKeyRef: + name: {{ $value.name }} + key: {{ $value.key | default $key }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + # Variables from configmap have precedence + {{- if .envFromConfigMap }} + {{- range $key, $value := .envFromConfigMap }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + valueFrom: + configMapKeyRef: + name: {{ $value.name }} + key: {{ $value.key | default $key }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} + # Add variables in plain text if they were not already added from secrets + {{- if .env }} + {{- range $key, $value := .env }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + value: {{ $value | quote }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} + # Special handling for OPENCTI_URL which is constructed from other values + {{- if not (hasKey $envList "OPENCTI_URL") }} + {{- if eq $.Values.env.APP__BASE_PATH "/" }} + - name: OPENCTI_URL + value: "http://{{ include "opencti.fullname" $ }}-server:{{ $.Values.service.port }}" + {{- else }} + - name: OPENCTI_URL + value: "http://{{ include "opencti.fullname" $ }}-server:{{ $.Values.service.port }}{{ $.Values.env.APP__BASE_PATH }}" + {{- end }} + {{- end }} + # Special handling for OPENCTI_TOKEN which is constructed from other values + {{- if and (not (hasKey $envList "OPENCTI_TOKEN")) (or ($.Values.secrets.APP__ADMIN__TOKEN) ($.Values.env.APP__ADMIN__TOKEN)) }} + {{- if $.Values.secrets.APP__ADMIN__TOKEN }} + - name: OPENCTI_TOKEN + value: {{ $.Values.secrets.APP__ADMIN__TOKEN }} + {{- else if $.Values.env.APP__ADMIN__TOKEN }} + - name: OPENCTI_TOKEN + value: {{ $.Values.env.APP__ADMIN__TOKEN }} + {{- end }} + {{- end }} + # Connectors global env from secrets + {{- if $connectorsGlobal.envFromSecrets }} + {{- range $key, $value := $connectorsGlobal.envFromSecrets }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + valueFrom: + secretKeyRef: + name: {{ $value.name }} + key: {{ $value.key | default $key }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} + # Connectors global env from configmap + {{- if $connectorsGlobal.envFromConfigMap }} + {{- range $key, $value := $connectorsGlobal.envFromConfigMap }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + valueFrom: + secretKeyRef: + name: {{ $value.name }} + key: {{ $value.key | default $key }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} + # Connectors global env + {{- if $connectorsGlobal.env }} + {{- range $key, $value := $connectorsGlobal.env }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + value: {{ $value | quote }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} + volumeMounts: + {{- with .volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with $connectorsGlobal.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .resources | nindent 12 }} - # Connectors global volumeMounts if defined - {{- with $connectorsGlobal.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} terminationGracePeriodSeconds: {{ .terminationGracePeriodSeconds | default 30 }} - {{- with $connectorsGlobal.volumes }} - # Connectors global volumes if defined volumes: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .nodeSelector }} + {{- with .volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $connectorsGlobal.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} affinity: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .topologySpreadConstraints }} topologySpreadConstraints: {{- range $constraint := . }} diff --git a/charts/opencti/templates/server/configmap.yaml b/charts/opencti/templates/server/configmap.yaml new file mode 100644 index 0000000..1646b1c --- /dev/null +++ b/charts/opencti/templates/server/configmap.yaml @@ -0,0 +1,21 @@ +{{- range .Values.configMaps }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "opencti.fullname" $ }}-{{ .name }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "0" + labels: + {{- include "opencti.serverLabels" $ | nindent 4 }} +data: + {{- range $key, $value := .data }} + {{- if regexMatch "\n" $value }} + {{ $key }}: | + {{ $value | nindent 4 | trim }} + {{- else }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/opencti/templates/server/deployment.yaml b/charts/opencti/templates/server/deployment.yaml index d733db2..8dff24b 100644 --- a/charts/opencti/templates/server/deployment.yaml +++ b/charts/opencti/templates/server/deployment.yaml @@ -33,30 +33,40 @@ spec: serviceAccountName: {{ include "opencti.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - {{- if .Values.readyChecker.enabled }} initContainers: - {{- range $service := .Values.readyChecker.services }} - - name: ready-checker-{{ $service.name }} - {{- if $.Values.global.imageRegistry }} - image: "{{ $.Values.global.imageRegistry }}/{{ $.Values.readyChecker.repository }}:{{ $.Values.readyChecker.tag }}" - {{- else }} - image: {{ $.Values.readyChecker.repository }}:{{ $.Values.readyChecker.tag }} + {{- if .Values.readyChecker.enabled }} + {{- range $service := .Values.readyChecker.services }} + - name: ready-checker-{{ $service.name }} + {{- if $.Values.global.imageRegistry }} + image: "{{ $.Values.global.imageRegistry }}/{{ $.Values.readyChecker.repository }}:{{ $.Values.readyChecker.tag }}" + {{- else }} + image: {{ $.Values.readyChecker.repository }}:{{ $.Values.readyChecker.tag }} + {{- end }} + imagePullPolicy: {{ $.Values.readyChecker.pullPolicy }} + command: + - 'sh' + - '-c' + - | + RETRY=0; + until [ $RETRY -eq {{ $.Values.readyChecker.retries }} ]; + do + if nc -zv {{ $.Values.fullnameOverride | default $.Release.Name }}-{{ $service.name }} {{ $service.port }}; then + echo "Service {{ $.Values.fullnameOverride | default $.Release.Name }}-{{ $service.name }}:{{ $service.port }} is ready"; + exit 0; + fi; + echo "[$RETRY/{{ $.Values.readyChecker.retries }}] waiting service {{ $.Values.fullnameOverride | default $.Release.Name }}-{{ $service.name }}:{{ $service.port }} is ready"; + sleep {{ $.Values.readyChecker.timeout }}; + RETRY=$(($RETRY + 1)); + if [ $RETRY -eq {{ $.Values.readyChecker.retries }} ]; then + echo "Service {{ $.Values.fullnameOverride | default $.Release.Name }}-{{ $service.name }}:{{ $service.port }} is not ready"; + exit 1; + fi; + done + {{- end }} + {{- end }} + {{- with .Values.initContainers }} + {{- toYaml . | nindent 8 }} {{- end }} - imagePullPolicy: {{ $.Values.readyChecker.pullPolicy }} - command: - - 'sh' - - '-c' - - | - RETRY=0; - until [ $RETRY -eq {{ $.Values.readyChecker.retries }} ]; - do - nc -zv {{ $.Values.fullnameOverride | default $.Release.Name }}-{{ $service.name }} {{ $service.port }} && break; - echo "[$RETRY/{{ $.Values.readyChecker.retries }}] waiting service {{ $.Values.fullnameOverride | default $.Release.Name }}-{{ $service.name }}:{{ $service.port }} is ready"; - sleep {{ $.Values.readyChecker.timeout }}; - RETRY=$(($RETRY + 1)); - done - {{- end }} - {{- end }} containers: - name: {{ .Chart.Name }}-server securityContext: @@ -67,6 +77,12 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.command }} + command: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.args }} + args: {{- toYaml . | nindent 12 }} + {{- end }} ports: - name: http containerPort: {{ .Values.service.targetPort | default .Values.service.port }} @@ -130,38 +146,55 @@ spec: timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} {{- end }} {{- end }} + envFrom: + {{- if .Values.envFromFiles }} + {{- tpl (toYaml .Values.envFromFiles) . | nindent 12 }} + {{- end }} env: - - name: NODE_OPTIONS - value: --max-old-space-size=8096 - - name: PROVIDERS__LOCAL__STRATEGY - value: LocalStrategy - # Variables from secrets have precedence - {{- $envList := dict -}} - {{- if .Values.envFromSecrets }} - {{- range $key, $value := .Values.envFromSecrets }} - {{- if not (hasKey $envList $key) }} - - name: {{ $key | upper }} - valueFrom: - secretKeyRef: - name: {{ $value.name }} - key: {{ $value.key | default $key }} - {{- $_ := set $envList $key true }} - {{- end }} - {{- end }} - {{- end }} - # Add variables in plain text if they were not already added from secrets - {{- if .Values.env }} - {{- range $key, $value := .Values.env }} - {{- if not (hasKey $envList $key) }} - - name: {{ $key | upper }} - value: {{ $value | quote }} - {{- $_ := set $envList $key true }} - {{- end }} - {{- end }} - {{- end }} + - name: NODE_OPTIONS + value: --max-old-space-size=8096 + - name: PROVIDERS__LOCAL__STRATEGY + value: LocalStrategy + # Variables from secrets have precedence + {{- $envList := dict -}} + {{- if .Values.envFromSecrets }} + {{- range $key, $value := .Values.envFromSecrets }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + valueFrom: + secretKeyRef: + name: {{ $value.name }} + key: {{ $value.key | default $key }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} + # Variables from configmap have precedence + {{- if .Values.envFromConfigMap }} + {{- range $key, $value := .Values.envFromConfigMap }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + valueFrom: + configMapKeyRef: + name: {{ $value.name }} + key: {{ $value.key | default $key }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} + # Add variables in plain text if they were not already added from secrets + {{- if .Values.env }} + {{- range $key, $value := .Values.env }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + value: {{ $value | quote }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} + {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/opencti/templates/server/secret.yaml b/charts/opencti/templates/server/secret.yaml index c916afd..154ceef 100644 --- a/charts/opencti/templates/server/secret.yaml +++ b/charts/opencti/templates/server/secret.yaml @@ -8,6 +8,7 @@ metadata: {{- include "opencti.serverLabels" . | nindent 4 }} annotations: helm.sh/hook: "pre-install,pre-upgrade" + helm.sh/hook-weight: "0" data: {{- range $key, $value := .Values.secrets }} {{ $key }}: {{ $value | b64enc }} diff --git a/charts/opencti/templates/worker/configmap.yaml b/charts/opencti/templates/worker/configmap.yaml new file mode 100644 index 0000000..dabf11f --- /dev/null +++ b/charts/opencti/templates/worker/configmap.yaml @@ -0,0 +1,21 @@ +{{- range .Values.worker.configMaps }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "opencti.fullname" $ }}-{{ .name }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "0" + labels: + {{- include "opencti.workerLabels" $ | nindent 4 }} +data: + {{- range $key, $value := .data }} + {{- if regexMatch "\n" $value }} + {{ $key }}: | + {{ $value | nindent 4 | trim }} + {{- else }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/opencti/templates/worker/deployment.yaml b/charts/opencti/templates/worker/deployment.yaml index 4d15bec..aeaa065 100644 --- a/charts/opencti/templates/worker/deployment.yaml +++ b/charts/opencti/templates/worker/deployment.yaml @@ -36,26 +36,36 @@ spec: {{- toYaml .Values.worker.podSecurityContext | nindent 8 }} {{- if .Values.worker.readyChecker.enabled }} initContainers: - - name: ready-checker-server - {{- if $.Values.global.imageRegistry }} - image: "{{ $.Values.global.imageRegistry }}/{{ $.Values.worker.readyChecker.repository }}:{{ $.Values.worker.readyChecker.tag }}" - {{- else }} - image: {{ $.Values.worker.readyChecker.repository }}:{{ $.Values.worker.readyChecker.tag }} + - name: ready-checker-server + {{- if $.Values.global.imageRegistry }} + image: "{{ $.Values.global.imageRegistry }}/{{ $.Values.worker.readyChecker.repository }}:{{ $.Values.worker.readyChecker.tag }}" + {{- else }} + image: {{ $.Values.worker.readyChecker.repository }}:{{ $.Values.worker.readyChecker.tag }} + {{- end }} + imagePullPolicy: {{ $.Values.worker.readyChecker.pullPolicy }} + command: + - 'sh' + - '-c' + - > + RETRY=0; + until [ $RETRY -eq {{ $.Values.worker.readyChecker.retries }} ]; + do + if nc -zv {{ $.Values.fullnameOverride | default (include "opencti.fullname" .) }}-server {{ $.Values.service.port }}; then + echo "Service {{ $.Values.fullnameOverride | default (include "opencti.fullname" .) }}-server:{{ $.Values.service.port }} is ready"; + exit 0; + fi; + echo "[$RETRY/{{ $.Values.worker.readyChecker.retries }}] waiting service {{ $.Values.fullnameOverride | default (include "opencti.fullname" .) }}-server:{{ $.Values.service.port }} is ready"; + sleep {{ $.Values.worker.readyChecker.timeout }}; + RETRY=$(($RETRY + 1)); + if [ $RETRY -eq {{ $.Values.worker.readyChecker.retries }} ]; then + echo "Service {{ $.Values.fullnameOverride | default (include "opencti.fullname" .) }}-server:{{ $.Values.service.port }} is not ready"; + exit 1; + fi; + done + {{- end }} + {{- with .Values.worker.initContainers }} + {{- toYaml . | nindent 8 }} {{- end }} - imagePullPolicy: {{ $.Values.worker.readyChecker.pullPolicy }} - command: - - 'sh' - - '-c' - - > - RETRY=0; - until [ $RETRY -eq {{ $.Values.worker.readyChecker.retries }} ]; - do - nc -zv {{ $.Values.fullnameOverride | default (include "opencti.fullname" .) }}-server {{ $.Values.service.port }} && break; - echo "[$RETRY/{{ $.Values.worker.readyChecker.retries }}] waiting service {{ $.Values.fullnameOverride | default (include "opencti.fullname" .) }}-server:{{ $.Values.service.port }} is ready"; - sleep {{ $.Values.worker.readyChecker.timeout }}; - RETRY=$(($RETRY + 1)); - done - {{- end }} containers: - name: {{ .Chart.Name }}-worker securityContext: @@ -66,6 +76,12 @@ spec: image: "{{ .Values.worker.image.repository }}:{{ .Values.worker.image.tag | default .Chart.AppVersion }}" {{- end }} imagePullPolicy: {{ .Values.worker.image.pullPolicy }} + {{- with .Values.worker.command }} + command: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.worker.args }} + args: {{- toYaml . | nindent 12 }} + {{- end }} ports: {{- if .Values.worker.env.WORKER_TELEMETRY_ENABLED }} - name: metrics @@ -76,52 +92,69 @@ spec: {{- with .Values.worker.lifecycle }} {{- toYaml . | nindent 12 }} {{- end }} + envFrom: + {{- if .Values.worker.envFromFiles }} + {{- tpl (toYaml .Values.worker.envFromFiles) . | nindent 12 }} + {{- end }} env: - # Variables from secrets have precedence - {{- $envList := dict -}} - {{- if .Values.worker.envFromSecrets }} - {{- range $key, $value := .Values.worker.envFromSecrets }} - - name: {{ $key | upper }} - valueFrom: - secretKeyRef: - name: {{ $value.name }} - key: {{ $value.key | default $key }} - {{- $_ := set $envList $key true }} - {{- end }} - {{- end }} - # Add variables in plain text from .Values.worker.env if they were not already added from secrets - {{- if .Values.worker.env }} - {{- range $key, $value := .Values.worker.env }} - {{- if not (hasKey $envList $key) }} - - name: {{ $key | upper }} - value: {{ $value | quote }} - {{- $_ := set $envList $key true }} - {{- end }} - {{- end }} - {{- end }} - # Special handling for OPENCTI_URL which is constructed from other values - {{- if not (hasKey $envList "OPENCTI_URL") }} - {{- if eq .Values.env.APP__BASE_PATH "/" }} - - name: OPENCTI_URL - value: "http://{{ include "opencti.fullname" . }}-server:{{ .Values.service.port }}" - {{- else }} - - name: OPENCTI_URL - value: "http://{{ include "opencti.fullname" . }}-server:{{ .Values.service.port }}{{ .Values.env.APP__BASE_PATH }}" - {{- end }} - {{- end }} - # Special handling for OPENCTI_TOKEN which is constructed from other values - {{- if and (not (hasKey $envList "OPENCTI_TOKEN")) (or (.Values.secrets.APP__ADMIN__TOKEN) (.Values.env.APP__ADMIN__TOKEN)) }} - {{- if .Values.secrets.APP__ADMIN__TOKEN }} - - name: OPENCTI_TOKEN - value: {{ .Values.secrets.APP__ADMIN__TOKEN }} - {{- else if .Values.env.APP__ADMIN__TOKEN }} - - name: OPENCTI_TOKEN - value: {{ .Values.env.APP__ADMIN__TOKEN }} - {{- end }} - {{- end }} + # Variables from secrets have precedence + {{- $envList := dict -}} + {{- if .Values.worker.envFromSecrets }} + {{- range $key, $value := .Values.worker.envFromSecrets }} + - name: {{ $key | upper }} + valueFrom: + secretKeyRef: + name: {{ $value.name }} + key: {{ $value.key | default $key }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + # Variables from configmap have precedence + {{- if .Values.worker.envFromConfigMap }} + {{- range $key, $value := .Values.worker.envFromConfigMap }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + valueFrom: + configMapKeyRef: + name: {{ $value.name }} + key: {{ $value.key | default $key }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} + # Add variables in plain text from .Values.worker.env if they were not already added from secrets + {{- if .Values.worker.env }} + {{- range $key, $value := .Values.worker.env }} + {{- if not (hasKey $envList $key) }} + - name: {{ $key | upper }} + value: {{ $value | quote }} + {{- $_ := set $envList $key true }} + {{- end }} + {{- end }} + {{- end }} + # Special handling for OPENCTI_URL which is constructed from other values + {{- if not (hasKey $envList "OPENCTI_URL") }} + {{- if eq .Values.env.APP__BASE_PATH "/" }} + - name: OPENCTI_URL + value: "http://{{ include "opencti.fullname" . }}-server:{{ .Values.service.port }}" + {{- else }} + - name: OPENCTI_URL + value: "http://{{ include "opencti.fullname" . }}-server:{{ .Values.service.port }}{{ .Values.env.APP__BASE_PATH }}" + {{- end }} + {{- end }} + # Special handling for OPENCTI_TOKEN which is constructed from other values + {{- if and (not (hasKey $envList "OPENCTI_TOKEN")) (or (.Values.secrets.APP__ADMIN__TOKEN) (.Values.env.APP__ADMIN__TOKEN)) }} + {{- if .Values.secrets.APP__ADMIN__TOKEN }} + - name: OPENCTI_TOKEN + value: {{ .Values.secrets.APP__ADMIN__TOKEN }} + {{- else if .Values.env.APP__ADMIN__TOKEN }} + - name: OPENCTI_TOKEN + value: {{ .Values.env.APP__ADMIN__TOKEN }} + {{- end }} + {{- end }} resources: {{- toYaml .Values.worker.resources | nindent 12 }} - {{- with .Values.worker.volumeMounts }} + {{- with .Values.worker.volumeMounts }} volumeMounts: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/opencti/values.yaml b/charts/opencti/values.yaml index 6e85f62..3941493 100644 --- a/charts/opencti/values.yaml +++ b/charts/opencti/values.yaml @@ -39,8 +39,7 @@ serviceAccount: # -- Name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" - # -- Specifies if you don't want the kubelet to automatically mount - # a ServiceAccount's API credentials + # -- Specifies if you don't want the kubelet to automatically mount a ServiceAccount API credentials automountServiceAccountToken: false # -- Enable or disable test connection @@ -74,16 +73,60 @@ env: APP__TELEMETRY__METRICS__ENABLED: true APP__HEALTH_ACCESS_KEY: ChangeMe -# -- Secrets from variables +# -- Variables from configMap +envFromConfigMap: {} + # MY_VARIABLE: + # name: + # key: key + +# -- Variables from secrets envFromSecrets: {} # MY_VARIABLE: - # name: -credentials + # name: # key: secret_key +# -- Load all variables from files +#
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables +envFromFiles: [] + # - secretRef: + # name: + # - configMapRef: + # name: + # -- Secrets values to create credentials and reference by envFromSecrets # Generate Secret with following name: `-credentials` +#
Ref: https://kubernetes.io/docs/concepts/configuration/secret/ secrets: {} +# -- ConfigMap values to create configuration files +# Generate ConfigMap with following name: - +#
Ref: https://kubernetes.io/docs/concepts/configuration/configmap/ +configMaps: [] + # - name: configmap-name + # data: + # my.key: |- + # my-content + # my_var: my-value + +# -- Configure additional containers +#
Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +initContainers: [] + # - name: my-container + # image: busybox + # command: ['sh', '-c', 'echo "Hello, World!"'] + +# -- Configure args +#
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ +args: [] + # - -c + # - echo "Hello, World!" + +# -- Configure command +#
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ +command: [] + # - echo + # - "Hello, World!" + # -- Kubernetes service to expose Pod #
Ref: https://kubernetes.io/docs/concepts/services-networking/service/ service: @@ -314,16 +357,16 @@ autoscaling: # -- Additional volumes on the output Deployment definition volumes: [] -# - name: foo -# secret: -# secretName: mysecret -# optional: false + # - name: foo + # secret: + # secretName: mysecret + # optional: false # -- Additional volumeMounts on the output Deployment definition volumeMounts: [] -# - name: foo -# mountPath: "/etc/foo" -# readOnly: true + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true # -- Node labels for pod assignment #
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector @@ -344,30 +387,44 @@ topologySpreadConstraints: [] # topologyKey: zone # whenUnsatisfiable: DoNotSchedule -# -- Connectors Globals +# -- Connectors global configuration connectorsGlobal: - # -- Secrets from variables - envFromSecrets: {} - # MY_VARIABLE: - # name: -credentials - # key: secret_key # -- Additional environment variables on the output connector definition env: {} - # MY_VARIABLE: my_value + # MY_VARIABLE: my_value + + # -- Variables from secrets + envFromSecrets: {} + # MY_VARIABLE: + # name: + # key: secret_key + + # -- Variables from configMap + envFromConfigMap: {} + # MY_VARIABLE: + # name: + # key: key + + # -- Load all variables from files + envFromFiles: [] + # - secretRef: + # name: + # - configMapRef: + # name: # -- Additional volumes on the output connector Deployment definition volumes: [] - # - name: foo - # secret: - # secretName: mysecret - # optional: false + # - name: foo + # secret: + # secretName: mysecret + # optional: false # -- Additional volumeMounts on the output connector Deployment definition volumeMounts: [] - # - name: foo - # mountPath: "/etc/foo" - # readOnly: true + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true # -- Connectors #
Ref: https://github.com/OpenCTI-Platform/connectors/tree/master @@ -405,11 +462,33 @@ connectors: [] # # -- Environment variables to configure application # env: {} # # my_env: my_value -# # -- Secrets from variables +# # -- Variables from secrets # envFromSecrets: {} -# # my_env: -# # name: release-name-credentials +# # MY_VARIABLE: +# # name: # # key: secret_key +# # -- Variables from configMap +# envFromConfigMap: {} +# # MY_VARIABLE: +# # name: +# # key: key +# # -- Load all variables from files +# envFromFiles: [] +# # - secretRef: +# # name: +# # - configMapRef: +# # name: +# # -- Additional volumes on the output connector Deployment definition +# volumes: [] +# # - name: foo +# # secret: +# # secretName: mysecret +# # optional: false +# # -- Additional volumeMounts on the output connector Deployment definition +# volumeMounts: [] +# # - name: foo +# # mountPath: "/etc/foo" +# # readOnly: true # # -- The resources limits and requested # resources: {} # # limits: @@ -487,12 +566,55 @@ worker: # METRICS WORKER_TELEMETRY_ENABLED: true - # -- Secrets from variables + # -- Variables from configMap + envFromConfigMap: {} + # MY_VARIABLE: + # name: + # key: key + + # -- Variables from secrets envFromSecrets: {} # MY_VARIABLE: - # name: -credentials + # name: # key: secret_key + # -- Load all variables from files + #
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables + envFromFiles: [] + # - secretRef: + # name: + # - configMapRef: + # name: + + # -- ConfigMap values to create configuration files + # Generate ConfigMap with following name: - + #
Ref: https://kubernetes.io/docs/concepts/configuration/configmap/ + configMaps: [] + # - name: configmap-name + # data: + # my.key: |- + # my-content + # my_var: my-value + + # -- Configure additional containers + #
Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: my-container + # image: busybox + # command: ['sh', '-c', 'echo "Hello, World!"'] + + # -- Configure args + #
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ + args: [] + # - -c + # - echo "Hello, World!" + + # -- Configure command + #
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ + command: [] + # - echo + # - "Hello, World!" + # -- NetworkPolicy configuration #
Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ networkPolicy: @@ -538,10 +660,6 @@ worker: # -- The resources limits and requested #
Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: "250m" # memory: 256Mi @@ -648,7 +766,6 @@ elasticsearch: enabled: false # Data-only nodes parameters - data: # Number of data-only replicas to deploy replicaCount: 1 @@ -723,7 +840,6 @@ rabbitmq: # -- Redis subchart deployment #
Ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml - redis: # -- Enable or disable Redis subchart enabled: true