Change Log
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
[1.4.2] - 2026-06-17
Changed
- OpenCTI: Bumped default version to 7.260609.0
- XTM Composer: Bumped default version to 3.260609.0. This version includes a fix for the proxy variables injections. See changelog.
- OpenCTI: Removed arbitrary tags for default initContainers to re-use already listed images in the values file.
- OpenCTI: Made the images for the default initContainers configurable through values file, with the
opencti.defaultInitContainers.imageproperty. This allows to use a custom image or repository for the initContainers if needed. - âš The default image must be able to run
curl. This image does not apply to Redis. - âš Redis initContainer has its own image configuration and must be able to run
redis-cli. - Doc: Updated Docker endpoints whitelisting documentation in requirements.
[1.4.1] - 2026-06-03
Fixed
- XTM Composer: Fixed missing permissions in role to handle connectors secrets when using custom repositories.
Added
- Elasticsearch: Added
extraConfigparameter for both master and data node configuration to handle specific cases.
[1.4.0] - 2026-05-27
Changed
- BREAKING CHANGE:
opencti.enableDefaultInitContainersis nowopencti.defaultInitContainersand can be defined for each component (front, ingests, workers and connectors) instead of being shared for all components. This allows more flexibility in the definition of initContainers for each component - OpenCTI: Added default values for readiness, liveness and startup probes for front and ingests deployments. Probes are still disabled by default but can be enabled through values file
- OpenCTI: Bumped default version to 7.260513.0
- OpenCTI: Set default Redis trimming to
REDIS__TRIMMING: 1000000in OCTI env vars in values file - Elasticsearch: Support for customization of the
initVMMaxMapCountInitContainerimage. Currently set to a pinned version of busybox - Redis: Support for customization of the Redis initContainer image for both Sentinel and Replication StatefulSets. Currently set to a pinned version of busybox
Added
- Elasticsearch: Allow side volume configurations for master and data nodes
⚠️ CAUTION: the ECK operator allows the setting
additionalVolumeClaimTemplatesat cluster setup only. This field can't be updated after. If you need to attach specific PVCs to your volumes, please create them beforehand. - OpenCTI: New default initContainers now allow for resources to be set for each init container
- Doc: Updated document to recommend Helm 3 instead of Helm 4. Please refer to the doc link
- OpenCTI: Added dedicated setup for a LoadBalancer service on front and ingest deployments
- RabbitMQ: Added dedicated setup for a LoadBalancer service for the console
- OpenCTI: Support for
serviceAccountNamein front, ingests, workers, connectors deployments - Redis: Added support for
serviceAccountNamein Redis Standalone and Sentinel/Replication StatefulSets - XTM Composer: Added support for
serviceAccountNamein XTM Composer deployment - OpenCTI: Added support for startup probes for front, ingests deployments.
Fixed
- MinIO: Fixed imagePullSecret configuration for MinIO Tenant CRD when using. The Tenant CRD expects only a
namefield and not a full array.
[1.3.2] - 2026-04-23
Added
- MinIO: Extended configuration to customize all Tenant CRD values
- MinIO: Added boolean to nullify correctly security context (useful in scenarios where it is supersed by the Kubernetes Engine, e.g : OpenShift)
- XTM Composer: Extended configuration capabilities
[1.3.1] - 2026-04-02
Added
- OpenCTI: Added default initContainers front, ingests, workers and connectors. All enabled by default. Each default initContainer will wait for its dependency to be up and running before starting its main app. They can be individually disabled if not needed in your environment.
- OpenCTI: Added configurable initContainers for front, ingests, workers and connectors
- OpenCTI: Added the possibility to configure ingress that routes traffic directly to ingests
- OpenCTI: Added configurable
volumesandvolumeMountsfor connectors (see example page) - Elasticsearch: Added default initContainer that sets vm.max_map_count on the hosts. Disabled by default. Can be enabled with
elasticsearch.initVMMaxMapCount(recommended ifallowMmapis enabled, which is true by default). Warning: the default initContainer set in the chart will run as privileged, you can override the default initContainer if this doesn't meet your security requirements. The vm.max_map_count value defaults to 1048576 (recommended by Elastic) but can be configured through theelasticsearch.vmMaxMapCountValueparameter.
Fixed
- Elasticsearch: Added missing
tolerarionsandimagePullSecretsfor masterNodes configuration in values
[1.3.0] - 2026-03-11
Changed
- BREAKING CHANGE: OpenCTI: Bumped default version to 7.260309.0
- XTM Composer: Bumped default version to 2.260223.0 (to align with OpenCTI requirements)
- OpenCTI: Overriding the OpenCTI image tag is now correctly supported for front, ingests and workers
- Redis, MinIO, RabbitMQ: Conditionned the rendering of the storageClassName parameter in the PVC definition to avoid errors when not set and no default storage class is configured in the cluster.
[1.2.11] - 2026-03-05
Added
- OpenCTI: Added conditional metrics exposure for front and worker components via environment variables.
- Doc: Added setup guidance for secret-based
APP__HEALTH_ACCESS_KEYand metrics enablement.
Changed
- OpenCTI: Front and ingest readiness/liveness probes now use exec checks with
APP__HEALTH_ACCESS_KEYenvironment variable. - OpenCTI: Added commented default values examples to enable front and worker metrics.
[1.2.10] - 2026-03-02
Fixed
- Environment variables could be duplicated in pod specs when the same key
appeared in both
envFromSecretsandenvmaps. Now the chart tracks rendered keys and only emits each variable once, with secret‑sourced values taking precedence.
[1.2.9] - 2026-02-24
Added
- OpenCTI: Introduced the capacity of configuring
volumesandvolumeMountsfor OpenCTI front and ingesters
[1.2.8] - 2026-02-13
Removed
- OpenCTI: Removed OPENCTI_TOKEN from
opencti.worker.envin the default values file to avoid conflict when setting it from theopencti.worker.envFromSecretsblock
[1.2.7] - 2026-02-04
Added
- Redis: Added pod antiAffinity that defaults on Kubernetes host
- MinIO: Added pod antiAffinity that defaults on Kubernetes host
- RabbitMQ: Added pod antiAffinity that defaults on Kubernetes host
- Elasticsearch: Added pod antiAffinity that defaults on Kubernetes host
Changed
- BREAKING CHANGE: Redis: Added a distinction for Redis data and sentinel nodes in configuration
- BREAKING CHANGE: MinIO: Updated antiAffinity to be a full yaml definition instead of simple boolean
- OpenCTI: Bump default version to 6.9.15
- XTM Composer: Bump default version to 1.0.2. See changelog
Fixed
- Fixed multiple non-working configurations (affinity, nodeSelector...) caused by wrong indent in templates.
Removed
- BREAKING CHANGE: RabbitMQ:
nodeSelectorvalue was removed from values file as it's actually not supported by the CRD. Use theoverrideattribute instead Reference.
[1.2.6] - 2026-01-19
Added
- OpenCTI: Added
logLevelin values - OpenCTI: Added
writeAppLogsToFilein values to manage logs write to file (defaults to False) - OpenCTI: Added
writeAuditLogsToFilein values to manage audit logs write to file (defaults to False)
Changed
- OpenCTI: Bump default version to 6.9.7
- Doc: Pinned operator versions. Added recommended K8S version.
[1.2.5] - 2025-11-28
Changed
- Webservice: Added Import Document AI webservice & documentation
- OpenCTI: Bump default version to 6.8.15
[1.2.4] - 2025-11-26
Changed
- OpenCTI Connectors: Added some standard connectors configuration, disabled by default in values.yaml
[1.2.3] - 2025-11-25
Changed
- OpenCTI: Bump default version to 6.8.13
Fixed
- RabbitMQ: Removed Logging to file from default config to avoid error with security context from operator version >= 2.17
[1.2.2] - 2025-11-12
Changed
- Elasticsearch: Added S3 Client Snapshot config capability for backups
- Elasticsearch: Disabled by default the Kibana self-signed certificate to simplify access to dashboard by default
[1.2.1] - 2025-10-24
Fixed
- Redis: Fixed and streamlined securityContext enablement and configuration
Changed
- OpenCTI: Bump default version to 6.8.8
[1.2.0] - 2025-10-10
Added
- Customizable ingresses for Kibana, RabbitMQ Console and MinIO console
- Dedicated env vars for Front and Ingest deployments
Changed
- BREAKING CHANGE: Removed ClusterIP from Redis headless service (default is now None)
- Update Elasticsearch deployments configuration to support Master and Data nodes definition
- Redis: Bump to 8.0.4
- Elasticsearch: Bump to 8.18.4
Fixed
- Deactivated by default all managers on front deployments
- RabbitMQ: Enforced default configuration in values to make the workers connect properly
[1.1.0] - 2025-09-23
Added
- XTM composer integration
Changed
- Updated labels
[1.0.0] - 2025-08-12
Added
- First release: includes OpenCTI and its backend stack