From f8bd91ac6779d35dae791657a72bb32709a83df7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Alejandro=20Marug=C3=A1n?= Date: Wed, 28 Aug 2024 20:09:49 +0200 Subject: [PATCH] feat: allow volumes on server and worker * Fix ready-checker on worker * Improve imagePullSecrets conditional * Clean code * Add podAnnotations and podLabels * Add volumes * Improve docs --- charts/opencti/README.md | 105 ++++++------ .../templates/connector/deployment.yaml | 16 +- .../opencti/templates/server/deployment.yaml | 24 +-- .../opencti/templates/worker/deployment.yaml | 28 ++-- charts/opencti/values.yaml | 152 ++++++++++++++++-- 5 files changed, 228 insertions(+), 97 deletions(-) diff --git a/charts/opencti/README.md b/charts/opencti/README.md index 9797139..6029d99 100644 --- a/charts/opencti/README.md +++ b/charts/opencti/README.md @@ -79,11 +79,11 @@ helm show values opencti/opencti | Key | Type | Default | Description | |-----|------|---------|-------------| -| affinity | object | `{}` | Affinity for pod assignment | -| autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage | -| connectors | list | `[]` | Connectors
Ref: https://github.com/OpenCTI-Platform/connectors/tree/master | +| affinity | object | `{}` | Affinity for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | +| autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage
Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | +| connectors | list | `[]` | Connectors
Ref: https://github.com/OpenCTI-Platform/connectors/tree/master | | connectorsGlobalEnv | object | `{}` | Connector Global environment | -| elasticsearch | object | `{"clusterName":"elastic","coordinating":{"replicaCount":0},"data":{"persistence":{"enabled":false},"replicaCount":1},"enabled":true,"extraEnvVars":[{"name":"ES_JAVA_OPTS","value":"-Xms512M -Xmx512M"}],"ingest":{"enabled":false},"master":{"masterOnly":true,"persistence":{"enabled":false},"replicaCount":1},"sysctlImage":{"enabled":false}}` | ElasticSearch subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/elasticsearch/values.yaml | +| elasticsearch | object | `{"clusterName":"elastic","coordinating":{"replicaCount":0},"data":{"persistence":{"enabled":false},"replicaCount":1},"enabled":true,"extraEnvVars":[{"name":"ES_JAVA_OPTS","value":"-Xms512M -Xmx512M"}],"ingest":{"enabled":false},"master":{"masterOnly":true,"persistence":{"enabled":false},"replicaCount":1},"sysctlImage":{"enabled":false}}` | ElasticSearch subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/elasticsearch/values.yaml | | elasticsearch.clusterName | string | `"elastic"` | Elasticsearch cluster name | | elasticsearch.coordinating | object | `{"replicaCount":0}` | Coordinating-only nodes parameters | | elasticsearch.coordinating.replicaCount | int | `0` | Number of coordinating-only replicas to deploy | @@ -98,15 +98,15 @@ helm show values opencti/opencti | elasticsearch.master.persistence | object | `{"enabled":false}` | Enable persistence using Persistent Volume Claims
Ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | | elasticsearch.master.persistence.enabled | bool | `false` | Enable persistence using a `PersistentVolumeClaim` | | elasticsearch.master.replicaCount | int | `1` | Number of master-eligible replicas to deploy | -| env | object | `{"APP__ADMIN__EMAIL":"admin@opencti.io","APP__ADMIN__PASSWORD":"ChangeMe","APP__ADMIN__TOKEN":"ChangeMe","APP__BASE_PATH":"/","APP__GRAPHQL__PLAYGROUND__ENABLED":false,"APP__GRAPHQL__PLAYGROUND__FORCE_DISABLED_INTROSPECTION":false,"APP__HEALTH_ACCESS_KEY":"ChangeMe","APP__TELEMETRY__METRICS__ENABLED":true,"ELASTICSEARCH__URL":"http://release-name-elasticsearch:9200","MINIO__ENDPOINT":"release-name-minio:9000","RABBITMQ__HOSTNAME":"release-name-rabbitmq","RABBITMQ__PASSWORD":"ChangeMe","RABBITMQ__PORT":5672,"RABBITMQ__PORT_MANAGEMENT":15672,"RABBITMQ__USERNAME":"user","REDIS__HOSTNAME":"release-name-redis-master","REDIS__MODE":"single","REDIS__PORT":6379}` | Environment variables to configure application
Ref: https://docs.opencti.io/latest/deployment/configuration/#platform | -| envFromSecrets | object | `{}` | Secrets from variables | -| fullnameOverride | string | `""` | String to fully override opencti.fullname template | -| global | object | `{"imagePullSecrets":[],"imageRegistry":""}` | Global configuration | -| image | object | `{"pullPolicy":"IfNotPresent","repository":"opencti/platform","tag":""}` | Image registry | -| imagePullSecrets | list | `[]` | Global Docker registry secret names as an array | -| ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Ingress configuration to expose app | -| livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":180,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Configure liveness checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | -| livenessProbeCustom | object | `{}` | Custom livenessProbe | +| env | object | `{"APP__ADMIN__EMAIL":"admin@opencti.io","APP__ADMIN__PASSWORD":"ChangeMe","APP__ADMIN__TOKEN":"ChangeMe","APP__BASE_PATH":"/","APP__GRAPHQL__PLAYGROUND__ENABLED":false,"APP__GRAPHQL__PLAYGROUND__FORCE_DISABLED_INTROSPECTION":false,"APP__HEALTH_ACCESS_KEY":"ChangeMe","APP__TELEMETRY__METRICS__ENABLED":true,"ELASTICSEARCH__URL":"http://release-name-elasticsearch:9200","MINIO__ENDPOINT":"release-name-minio:9000","RABBITMQ__HOSTNAME":"release-name-rabbitmq","RABBITMQ__PASSWORD":"ChangeMe","RABBITMQ__PORT":5672,"RABBITMQ__PORT_MANAGEMENT":15672,"RABBITMQ__USERNAME":"user","REDIS__HOSTNAME":"release-name-redis-master","REDIS__MODE":"single","REDIS__PORT":6379}` | Environment variables to configure application
Ref: https://docs.openbas.io/latest/deployment/configuration/#platform | +| envFromSecrets | object | `{}` | Secrets from variables | +| fullnameOverride | string | `""` | String to fully override opencti.fullname template | +| global | object | `{"imagePullSecrets":[],"imageRegistry":""}` | Global configuration The global section contains configuration options that are applied to all services @default - See below | +| image | object | See below | Image registry The image configuration for the base service | +| imagePullSecrets | list | `[]` | Global Docker registry secret names as an array | +| ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Ingress configuration to expose app
Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ | +| livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":180,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Configure liveness checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | +| livenessProbeCustom | object | `{}` | Custom livenessProbe | | minio | object | `{"auth":{"rootPassword":"ChangeMe","rootUser":"ChangeMe"},"enabled":true,"mode":"standalone","persistence":{"enabled":false}}` | MinIO subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml | | minio.auth.rootPassword | string | `"ChangeMe"` | Password for Minio root user | | minio.auth.rootUser | string | `"ChangeMe"` | Minio root username | @@ -114,15 +114,17 @@ helm show values opencti/opencti | minio.mode | string | `"standalone"` | mode Minio server mode (`standalone` or `distributed`)
Ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide | | minio.persistence | object | `{"enabled":false}` | Enable persistence using Persistent Volume Claims
Ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | | minio.persistence.enabled | bool | `false` | Enable MinIO data persistence using PVC. If false, use emptyDir | -| nameOverride | string | `""` | String to partially override opencti.fullname template (will maintain the release name) | -| nodeSelector | object | `{}` | Node labels for pod assignment | -| opensearch | object | `{"enabled":false,"opensearchJavaOpts":"-Xmx512M -Xms512M","persistence":{"enabled":false},"singleNode":true}` | OpenSearch subchart deployment
Ref: https://github.com/opensearch-project/helm-charts/blob/opensearch-2.16.1/charts/opensearch/values.yaml | +| nameOverride | string | `""` | String to partially override opencti.fullname template (will maintain the release name) | +| nodeSelector | object | `{}` | Node labels for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | +| opensearch | object | `{"enabled":false,"opensearchJavaOpts":"-Xmx512M -Xms512M","persistence":{"enabled":false},"singleNode":true}` | OpenSearch subchart deployment
Ref: https://github.com/opensearch-project/helm-charts/blob/opensearch-2.16.1/charts/opensearch/values.yaml | | opensearch.enabled | bool | `false` | Enable or disable OpenSearch subchart | | opensearch.opensearchJavaOpts | string | `"-Xmx512M -Xms512M"` | OpenSearch Java options | | opensearch.persistence | object | `{"enabled":false}` | Enable persistence using Persistent Volume Claims
Ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | | opensearch.singleNode | bool | `true` | If discovery.type in the opensearch configuration is set to "single-node", this should be set to "true" If "true", replicas will be forced to 1 | -| podSecurityContext | object | `{}` | Defines privilege and access control settings for a Pod.
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | -| rabbitmq | object | `{"auth":{"erlangCookie":"ChangeMe","password":"ChangeMe","username":"user"},"clustering":{"enabled":false},"enabled":true,"persistence":{"enabled":false},"replicaCount":1}` | RabbitMQ subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml | +| podAnnotations | object | `{}` | Configure annotations on Pods | +| podLabels | object | `{}` | Configure labels on Pods | +| podSecurityContext | object | `{}` | Defines privilege and access control settings for a Pod
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| rabbitmq | object | `{"auth":{"erlangCookie":"ChangeMe","password":"ChangeMe","username":"user"},"clustering":{"enabled":false},"enabled":true,"persistence":{"enabled":false},"replicaCount":1}` | RabbitMQ subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml | | rabbitmq.auth | object | `{"erlangCookie":"ChangeMe","password":"ChangeMe","username":"user"}` | RabbitMQ Authentication parameters | | rabbitmq.auth.password | string | `"ChangeMe"` | RabbitMQ application password
Ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables | | rabbitmq.auth.username | string | `"user"` | RabbitMQ application username
Ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables | @@ -132,13 +134,14 @@ helm show values opencti/opencti | rabbitmq.persistence | object | `{"enabled":false}` | Persistence parameters | | rabbitmq.persistence.enabled | bool | `false` | Enable RabbitMQ data persistence using PVC | | rabbitmq.replicaCount | int | `1` | Number of RabbitMQ replicas to deploy | -| readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Configure readinessProbe checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | -| readinessProbeCustom | object | `{}` | Custom readinessProbe | -| readyChecker | object | `{"enabled":true,"retries":30,"services":[{"name":"elasticsearch","port":9200},{"name":"minio","port":9000},{"name":"rabbitmq","port":5672},{"name":"redis-master","port":6379}],"timeout":5}` | Enable or disable ready-checker | +| readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Configure readinessProbe checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | +| readinessProbeCustom | object | `{}` | Custom readinessProbe | +| readyChecker | object | `{"enabled":true,"retries":30,"services":[{"name":"elasticsearch","port":9200},{"name":"minio","port":9000},{"name":"rabbitmq","port":5672},{"name":"redis-master","port":6379}],"timeout":5}` | Enable or disable ready-checker | +| readyChecker.enabled | bool | `true` | Enable or disable ready-checker | | readyChecker.retries | int | `30` | Number of retries before giving up | | readyChecker.services | list | `[{"name":"elasticsearch","port":9200},{"name":"minio","port":9000},{"name":"rabbitmq","port":5672},{"name":"redis-master","port":6379}]` | List services | | readyChecker.timeout | int | `5` | Timeout for each check | -| redis | object | `{"architecture":"standalone","auth":{"enabled":false},"enabled":true,"master":{"count":1,"persistence":{"enabled":false}},"replica":{"persistence":{"enabled":false},"replicaCount":1}}` | Redis subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml | +| redis | object | `{"architecture":"standalone","auth":{"enabled":false},"enabled":true,"master":{"count":1,"persistence":{"enabled":false}},"replica":{"persistence":{"enabled":false},"replicaCount":1}}` | Redis subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml | | redis.architecture | string | `"standalone"` | Redis architecture. Allowed values: `standalone` or `replication` | | redis.auth | object | `{"enabled":false}` | Redis Authentication parameters
Ref: https://github.com/bitnami/containers/tree/main/bitnami/redis#setting-the-server-password-on-first-run | | redis.auth.enabled | bool | `false` | Enable password authentication | @@ -151,33 +154,39 @@ helm show values opencti/opencti | redis.replica.persistence | object | `{"enabled":false}` | Persistence parameters
Ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | | redis.replica.persistence.enabled | bool | `false` | Enable persistence on Redis master nodes using Persistent Volume Claims | | redis.replica.replicaCount | int | `1` | Number of Redis replicas to deploy | -| replicaCount | int | `1` | Number of replicas | -| resources | object | `{}` | The resources limits and requested | -| secrets | object | `{}` | Secrets values to create credentials and reference by envFromSecrets | -| securityContext | object | `{}` | Defines privilege and access control settings for a Container.
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | -| service | object | `{"port":80,"targetPort":4000,"type":"ClusterIP"}` | Kubernetes service to expose Pod | -| service.port | int | `80` | Kubernetes Service port | -| service.targetPort | int | `4000` | Pod expose port | -| service.type | string | `"ClusterIP"` | Kubernetes Service type. Allowed values: NodePort, LoadBalancer or ClusterIP | -| serviceAccount | object | `{"annotations":{},"automountServiceAccountToken":false,"create":true,"name":""}` | Enable creation of ServiceAccount | -| serviceMonitor | object | `{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"}` | Enable ServiceMonitor to get metrics
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor | +| replicaCount | int | `1` | Number of replicas Specifies the number of replicas for the service | +| resources | object | `{}` | The resources limits and requested
Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| secrets | object | `{}` | Secrets values to create credentials and reference by envFromSecrets Generate Secret with following name: -credentials | +| securityContext | object | `{}` | Defines privilege and access control settings for a Container
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| service | object | `{"port":80,"targetPort":4000,"type":"ClusterIP"}` | Kubernetes service to expose Pod
Ref: https://kubernetes.io/docs/concepts/services-networking/service/ | +| service.port | int | `80` | Kubernetes Service port | +| service.targetPort | int | `4000` | Pod expose port | +| service.type | string | `"ClusterIP"` | Kubernetes Service type. Allowed values: NodePort, LoadBalancer or ClusterIP | +| serviceAccount | object | `{"annotations":{},"automountServiceAccountToken":false,"create":true,"name":""}` | Enable creation of ServiceAccount @default - See below | +| serviceMonitor | object | `{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"}` | Enable ServiceMonitor to get metrics
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor | | serviceMonitor.enabled | bool | `false` | Enable or disable | -| startupProbe | object | `{"enabled":true,"failureThreshold":30,"initialDelaySeconds":180,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Configure startupProbe checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | -| startupProbeCustom | object | `{}` | Custom startupProbe | -| testConnection | bool | `false` | Enable or disable test connection | -| tolerations | list | `[]` | Tolerations for pod assignment | -| worker | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"enabled":true,"env":{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true},"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"nodeSelector":{},"readyChecker":{"enabled":true,"retries":30,"timeout":5},"replicaCount":1,"resources":{},"serviceMonitor":{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"},"tolerations":[]}` | OpenCTI worker deployment configuration | -| worker.affinity | object | `{}` | Affinity for pod assignment | -| worker.autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage | -| worker.env | object | `{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true}` | Environment variables to configure application
Ref: https://docs.opencti.io/latest/deployment/configuration/#platform | -| worker.envFromSecrets | object | `{}` | Secrets from variables | -| worker.image | object | `{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""}` | Image registry | -| worker.nodeSelector | object | `{}` | Node labels for pod assignment | -| worker.readyChecker | object | `{"enabled":true,"retries":30,"timeout":5}` | Enable or disable ready-checker waiting server is ready | +| startupProbe | object | `{"enabled":true,"failureThreshold":30,"initialDelaySeconds":180,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Configure startupProbe checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | +| startupProbeCustom | object | `{}` | Custom startupProbe | +| testConnection | bool | `false` | Enable or disable test connection | +| tolerations | list | `[]` | Tolerations for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | +| volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition | +| volumes | list | `[]` | Additional volumes on the output Deployment definition | +| worker | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"enabled":true,"env":{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true},"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"nodeSelector":{},"readyChecker":{"enabled":true,"retries":30,"timeout":5},"replicaCount":1,"resources":{},"serviceMonitor":{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"},"tolerations":[],"volumeMounts":[],"volumes":[]}` | OpenCTI worker deployment configuration
Ref: https://docs.opencti.io/latest/deployment/overview/#workers | +| worker.affinity | object | `{}` | Affinity for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | +| worker.autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage
Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | +| worker.enabled | bool | `true` | Enable or disable worker | +| worker.env | object | `{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true}` | Environment variables to configure application
Ref: https://docs.opencti.io/latest/deployment/configuration/#platform | +| worker.envFromSecrets | object | `{}` | Secrets from variables | +| worker.image | object | See below | Image registry The image configuration for the base service | +| worker.nodeSelector | object | `{}` | Node labels for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | +| worker.readyChecker | object | `{"enabled":true,"retries":30,"timeout":5}` | Enable or disable ready-checker waiting server is ready | +| worker.readyChecker.enabled | bool | `true` | Enable or disable ready-checker | | worker.readyChecker.retries | int | `30` | Number of retries before giving up | | worker.readyChecker.timeout | int | `5` | Timeout for each check | -| worker.replicaCount | int | `1` | Number of replicas | -| worker.resources | object | `{}` | The resources limits and requested | -| worker.serviceMonitor | object | `{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"}` | Enable ServiceMonitor to get metrics
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor | +| worker.replicaCount | int | `1` | Number of replicas Specifies the number of replicas for the service | +| worker.resources | object | `{}` | The resources limits and requested
Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| worker.serviceMonitor | object | `{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"}` | Enable ServiceMonitor to get metrics
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor | | worker.serviceMonitor.enabled | bool | `false` | Enable or disable | -| worker.tolerations | list | `[]` | Tolerations for pod assignment | +| worker.tolerations | list | `[]` | Tolerations for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | +| worker.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition | +| worker.volumes | list | `[]` | Additional volumes on the output Deployment definition | diff --git a/charts/opencti/templates/connector/deployment.yaml b/charts/opencti/templates/connector/deployment.yaml index b8b9bfb..0b7eb5d 100644 --- a/charts/opencti/templates/connector/deployment.yaml +++ b/charts/opencti/templates/connector/deployment.yaml @@ -33,15 +33,11 @@ spec: {{- include "opencti.selectorLabels" $ | nindent 8 }} spec: {{- if .imagePullSecrets }} - {{- with .imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- toYaml .imagePullSecrets | nindent 8 }} {{- else if $.Values.global.imagePullSecrets }} - {{- with $.Values.global.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- toYaml $.Values.global.imagePullSecrets | nindent 8 }} {{- end }} {{- if .serviceAccount }} serviceAccountName: {{ if and .serviceAccount (hasKey .serviceAccount "name") }}{{ .serviceAccount.name }}{{ else }}{{ $connectorName }}-connector-{{ include "opencti.fullname" $ }}{{ end }} @@ -77,11 +73,9 @@ spec: {{- toYaml .securityContext | nindent 12 }} image: "{{- if and .image (hasKey .image "repository") }}{{ .image.repository }}{{- else if $.Values.global.imageRegistry }}{{ printf "%s/opencti/%s" $.Values.global.imageRegistry .name }}{{- else }}{{ printf "opencti/%s" .name }}{{- end }}:{{ if and .image (hasKey .image "tag") }}{{ .image.tag | default $.Chart.AppVersion }}{{ else }}{{ $.Chart.AppVersion }}{{ end }}" imagePullPolicy: {{ if and .image (hasKey .image "pullPolicy") }}{{ .image.pullPolicy }}{{ else }}IfNotPresent{{ end }} - env: # Variables from secrets have precedence {{- $envList := dict -}} - {{- if .envFromSecrets }} {{- range $key, $value := .envFromSecrets }} - name: {{ $key | upper }} @@ -92,7 +86,6 @@ spec: {{- $_ := set $envList $key true }} {{- end }} {{- end }} - # Special handling for OPENCTI_URL which is constructed from other values {{- if not (hasKey $envList "OPENCTI_URL") }} {{- if eq $.Values.env.APP__BASE_PATH "/" }} @@ -103,14 +96,12 @@ spec: value: "http://{{ include "opencti.fullname" $ }}-server:{{ $.Values.service.port }}{{ $.Values.env.APP__BASE_PATH }}" {{- end }} {{- end }} - # Special handling for OPENCTI_TOKEN which is constructed from other values {{- if and (not (hasKey .env "OPENCTI_TOKEN")) ($.Values.env.APP__ADMIN__TOKEN) }} - name: OPENCTI_TOKEN value: "{{ $.Values.env.APP__ADMIN__TOKEN }}" {{- end }} - - # Add Variables in plain text if they were not already added from secrets + # Add variables in plain text if they were not already added from secrets {{- if .env }} {{- range $key, $value := .env }} {{- if not (hasKey $envList $key) }} @@ -120,7 +111,6 @@ spec: {{- end }} {{- end }} {{- end }} - resources: {{- toYaml .resources | nindent 12 }} {{- with .nodeSelector }} diff --git a/charts/opencti/templates/server/deployment.yaml b/charts/opencti/templates/server/deployment.yaml index 5007221..6e87d9f 100644 --- a/charts/opencti/templates/server/deployment.yaml +++ b/charts/opencti/templates/server/deployment.yaml @@ -22,17 +22,16 @@ spec: labels: opencti.component: server {{- include "opencti.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- if .Values.imagePullSecrets }} - {{- with .Values.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- toYaml .Values.imagePullSecrets | nindent 8 }} {{- else if .Values.global.imagePullSecrets }} - {{- with .Values.global.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} {{- end }} serviceAccountName: {{ include "opencti.serviceAccountName" . }} securityContext: @@ -134,7 +133,6 @@ spec: value: --max-old-space-size=8096 - name: PROVIDERS__LOCAL__STRATEGY value: LocalStrategy - # Variables from secrets have precedence {{- $envList := dict -}} {{- if .Values.envFromSecrets }} @@ -149,8 +147,7 @@ spec: {{- end }} {{- end }} {{- end }} - - # Add Variables in plain text if they were not already added from secrets + # Add variables in plain text if they were not already added from secrets {{- if .Values.env }} {{- range $key, $value := .Values.env }} {{- if not (hasKey $envList $key) }} @@ -160,9 +157,16 @@ spec: {{- end }} {{- end }} {{- end }} - resources: {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/opencti/templates/worker/deployment.yaml b/charts/opencti/templates/worker/deployment.yaml index c050bdd..9bf84b1 100644 --- a/charts/opencti/templates/worker/deployment.yaml +++ b/charts/opencti/templates/worker/deployment.yaml @@ -23,22 +23,21 @@ spec: labels: opencti.component: worker {{- include "opencti.selectorLabels" . | nindent 8 }} + {{- with .Values.worker.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- if .Values.worker.imagePullSecrets }} - {{- with .Values.worker.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- toYaml .Values.worker.imagePullSecrets | nindent 8 }} {{- else if .Values.global.imagePullSecrets }} - {{- with .Values.global.imagePullSecrets }} imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} {{- end }} serviceAccountName: {{ include "opencti.serviceAccountName" . }} securityContext: {{- toYaml .Values.worker.podSecurityContext | nindent 8 }} - {{- if .Values.readyChecker.enabled }} + {{- if .Values.worker.readyChecker.enabled }} initContainers: - name: ready-checker-server {{- if $.Values.global.imageRegistry }} @@ -78,7 +77,6 @@ spec: env: # Variables from secrets have precedence {{- $envList := dict -}} - {{- if .Values.worker.envFromSecrets }} {{- range $key, $value := .Values.worker.envFromSecrets }} - name: {{ $key | upper }} @@ -89,7 +87,6 @@ spec: {{- $_ := set $envList $key true }} {{- end }} {{- end }} - # Special handling for OPENCTI_URL which is constructed from other values {{- if not (hasKey $envList "OPENCTI_URL") }} {{- if eq .Values.env.APP__BASE_PATH "/" }} @@ -100,14 +97,12 @@ spec: value: "http://{{ include "opencti.fullname" . }}-server:{{ .Values.service.port }}{{ .Values.env.APP__BASE_PATH }}" {{- end }} {{- end }} - # Special handling for OPENCTI_TOKEN which is constructed from other values {{- if and (not (hasKey $envList "OPENCTI_TOKEN")) (.Values.env.APP__ADMIN__TOKEN) }} - name: OPENCTI_TOKEN value: "{{ .Values.env.APP__ADMIN__TOKEN }}" {{- end }} - - # Add Variables in plain text from .Values.worker.env if they were not already added from secrets + # Add variables in plain text from .Values.worker.env if they were not already added from secrets {{- if .Values.worker.env }} {{- range $key, $value := .Values.worker.env }} {{- if not (hasKey $envList $key) }} @@ -117,9 +112,16 @@ spec: {{- end }} {{- end }} {{- end }} - resources: {{- toYaml .Values.worker.resources | nindent 12 }} + {{- with .Values.worker.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.worker.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.worker.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/opencti/values.yaml b/charts/opencti/values.yaml index d151189..bfec85c 100644 --- a/charts/opencti/values.yaml +++ b/charts/opencti/values.yaml @@ -1,6 +1,13 @@ # -- Global configuration +# The global section contains configuration options that are applied to all services +# @default - See below +# global: + # Specifies the registry to pull images from. Leave empty for the default registry + # imageRegistry: "" + # Specifies the secrets to use for pulling images from private registries + # Leave empty if no secrets are required # E.g. # imagePullSecrets: # - name: myRegistryKeySecretName @@ -8,25 +15,40 @@ global: imagePullSecrets: [] # -- Number of replicas +# Specifies the number of replicas for the service +# replicaCount: 1 # -- Image registry +# The image configuration for the base service +# @default -- See below +# image: + # The repository of the image + # repository: opencti/platform + # The pull policy for the image + # pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + # Overrides the image tag whose default is the chart appVersion + # tag: "" # -- String to partially override opencti.fullname template (will maintain the release name) +# nameOverride: "" # -- String to fully override opencti.fullname template +# fullnameOverride: "" # -- Global Docker registry secret names as an array +# imagePullSecrets: [] # -- Enable creation of ServiceAccount +# @default - See below +# serviceAccount: # Specifies whether a service account should be created create: true @@ -40,10 +62,12 @@ serviceAccount: automountServiceAccountToken: false # -- Enable or disable test connection +# testConnection: false # -- Environment variables to configure application -#
Ref: https://docs.opencti.io/latest/deployment/configuration/#platform +#
Ref: https://docs.openbas.io/latest/deployment/configuration/#platform +# env: # APP OPENCTI APP__ADMIN__EMAIL: admin@opencti.io @@ -52,7 +76,7 @@ env: APP__BASE_PATH: "/" APP__GRAPHQL__PLAYGROUND__ENABLED: false APP__GRAPHQL__PLAYGROUND__FORCE_DISABLED_INTROSPECTION: false - # MINIO: + # MINIO MINIO__ENDPOINT: release-name-minio:9000 # ELASTICSEARCH ELASTICSEARCH__URL: http://release-name-elasticsearch:9200 @@ -71,26 +95,34 @@ env: APP__HEALTH_ACCESS_KEY: ChangeMe # -- Secrets from variables +# envFromSecrets: {} - # Cipher vars - # my_env: - # name: release-name-credentials + # MY_VARIABLE: + # name: -credentials # key: secret_key # -- Secrets values to create credentials and reference by envFromSecrets +# Generate Secret with following name: -credentials +# secrets: {} # -- Kubernetes service to expose Pod +#
Ref: https://kubernetes.io/docs/concepts/services-networking/service/ +# service: # -- Kubernetes Service type. Allowed values: NodePort, LoadBalancer or ClusterIP + # type: ClusterIP # -- Kubernetes Service port + # port: 80 # -- NodePort port (only when type is NodePort) # nodePort: 32000 # -- Pod expose port + # targetPort: 4000 # -- Pod extra ports + # # extraPorts: # - name: metrics # port: 9080 @@ -98,6 +130,7 @@ service: # -- Enable ServiceMonitor to get metrics #
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor +# serviceMonitor: # -- Enable or disable enabled: false @@ -108,6 +141,7 @@ serviceMonitor: # -- Configure liveness checker #
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +# livenessProbe: enabled: true failureThreshold: 3 @@ -117,6 +151,7 @@ livenessProbe: timeoutSeconds: 5 # -- Custom livenessProbe +# livenessProbeCustom: {} # httpGet: # path: /dashboard @@ -129,6 +164,7 @@ livenessProbeCustom: {} # -- Configure readinessProbe checker #
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +# readinessProbe: enabled: true failureThreshold: 3 @@ -138,6 +174,7 @@ readinessProbe: timeoutSeconds: 1 # -- Custom readinessProbe +# readinessProbeCustom: {} # httpGet: # path: /dashboard @@ -150,6 +187,7 @@ readinessProbeCustom: {} # -- Configure startupProbe checker #
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +# startupProbe: enabled: true failureThreshold: 30 @@ -159,6 +197,7 @@ startupProbe: timeoutSeconds: 5 # -- Custom startupProbe +# startupProbeCustom: {} # httpGet: # path: /dashboard @@ -170,7 +209,9 @@ startupProbeCustom: {} # timeoutSeconds: 5 # -- Enable or disable ready-checker +# readyChecker: + # -- Enable or disable ready-checker enabled: true # -- Number of retries before giving up retries: 30 @@ -187,15 +228,25 @@ readyChecker: - name: redis-master port: 6379 -# -- Defines privilege and access control settings for a Pod. +# -- Configure annotations on Pods +# +podAnnotations: {} + +# -- Configure labels on Pods +# +podLabels: {} + +# -- Defines privilege and access control settings for a Pod #
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ #
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +# podSecurityContext: {} # fsGroup: 2000 -# -- Defines privilege and access control settings for a Container. +# -- Defines privilege and access control settings for a Container #
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ #
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +# securityContext: {} # capabilities: # drop: @@ -205,6 +256,8 @@ securityContext: {} # runAsUser: 1000 # -- Ingress configuration to expose app +#
Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +# ingress: enabled: false className: "" @@ -222,6 +275,8 @@ ingress: # - chart-example.local # -- The resources limits and requested +#
Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +# resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -235,6 +290,8 @@ resources: {} # memory: 256Mi # -- Autoscaling with CPU or memory utilization percentage +#
Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +# autoscaling: enabled: false minReplicas: 1 @@ -242,22 +299,43 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +# -- Additional volumes on the output Deployment definition +# +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# -- Additional volumeMounts on the output Deployment definition +# +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + # -- Node labels for pod assignment +#
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector +# nodeSelector: {} # -- Tolerations for pod assignment +#
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ +# tolerations: [] # -- Affinity for pod assignment +#
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity +# affinity: {} # -- Connector Global environment connectorsGlobalEnv: {} - # foo: bar - # my_env: my_value + # MY_VARIABLE: my_value # -- Connectors #
Ref: https://github.com/OpenCTI-Platform/connectors/tree/master +# connectors: [] # - name: connector-name # enabled: true @@ -312,14 +390,22 @@ connectors: [] # affinity: {} # -- OpenCTI worker deployment configuration +#
Ref: https://docs.opencti.io/latest/deployment/overview/#workers +# worker: + # -- Enable or disable worker + # enabled: true # -- Number of replicas + # Specifies the number of replicas for the service + # replicaCount: 1 # -- Enable or disable ready-checker waiting server is ready + # readyChecker: + # -- Enable or disable ready-checker enabled: true # -- Number of retries before giving up retries: 30 @@ -327,27 +413,38 @@ worker: timeout: 5 # -- Image registry + # The image configuration for the base service + # @default -- See below + # image: + # The repository of the image + # repository: opencti/worker + # The pull policy for the image + # pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + # Overrides the image tag whose default is the chart appVersion + # tag: "" # -- Environment variables to configure application #
Ref: https://docs.opencti.io/latest/deployment/configuration/#platform + # env: WORKER_LOG_LEVEL: info # METRICS WORKER_TELEMETRY_ENABLED: true # -- Secrets from variables + # envFromSecrets: {} - # my_env: - # name: release-name-credentials + # MY_VARIABLE: + # name: -credentials # key: secret_key # -- Enable ServiceMonitor to get metrics #
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + # serviceMonitor: # -- Enable or disable enabled: false @@ -357,6 +454,8 @@ worker: relabelings: [] # -- The resources limits and requested + #
Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -370,6 +469,8 @@ worker: # memory: 56Mi # -- Autoscaling with CPU or memory utilization percentage + #
Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + # autoscaling: enabled: false minReplicas: 1 @@ -377,17 +478,39 @@ worker: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 + # -- Additional volumes on the output Deployment definition + # + volumes: [] + # - name: foo + # secret: + # secretName: mysecret + # optional: false + + # -- Additional volumeMounts on the output Deployment definition + # + volumeMounts: [] + # - name: foo + # mountPath: "/etc/foo" + # readOnly: true + # -- Node labels for pod assignment + #
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + # nodeSelector: {} # -- Tolerations for pod assignment + #
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + # tolerations: [] # -- Affinity for pod assignment + #
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + # affinity: {} # -- OpenSearch subchart deployment #
Ref: https://github.com/opensearch-project/helm-charts/blob/opensearch-2.16.1/charts/opensearch/values.yaml +# opensearch: # -- Enable or disable OpenSearch subchart enabled: false @@ -407,6 +530,7 @@ opensearch: # -- ElasticSearch subchart deployment #
Ref: https://github.com/bitnami/charts/blob/main/bitnami/elasticsearch/values.yaml +# elasticsearch: # -- Enable or disable ElasticSearch subchart enabled: true @@ -483,6 +607,7 @@ minio: # -- RabbitMQ subchart deployment #
Ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml +# rabbitmq: # -- Enable or disable RabbitMQ subchart enabled: true @@ -512,6 +637,7 @@ rabbitmq: # -- Redis subchart deployment #
Ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml +# redis: # -- Enable or disable Redis subchart enabled: true