With external backends
This sample will deploy only the OpenCTI application based on the following assumptions :
-
All the dependencies are already deployed, running and accessible from your Kubernetes cluster
-
You created the Kubernetes secrets referenced below containing the relevant credentials
-
You're using Nginx as ingress controller
You can customize the values according to your own settings.
Warning
Please take time to review all credential values (such as admin password and tokens) to set them with a value of your own. Do not use the current values for sensitive fields as is.
Health Check Key
You can set APP__HEALTH_ACCESS_KEY from a secret (instead of plain values) by wiring envFromSecrets:
opencti:
envFromSecrets:
APP__HEALTH_ACCESS_KEY:
secretName: openaev-config
key: APP__HEALTH_ACCESS_KEY
Metrics
To enable metrics, set the following values:
opencti:
env:
APP__TELEMETRY__METRICS__ENABLED: true
APP__TELEMETRY__METRICS__EXPORTER_PROMETHEUS: 14269
worker:
env:
WORKER_TELEMETRY_ENABLED: true
WORKER_PROMETHEUS_TELEMETRY_PORT: 14270
WORKER_PROMETHEUS_TELEMETRY_HOST: 0.0.0.0
Dedicated ingress for Ingests
It is possible to expose ingests through an ingress, for example to allow external access for connectors. To do so, you can set the following values:
Warning
Make sure the host value doesn't conflict with the one used for the front. You can also use a different ingress class if needed by updating the className value.
opencti:
ingest:
ingress:
enabled: true
className: "nginx"
hosts:
- host: opencti-ingest.local
paths:
- path: /
pathType: ImplementationSpecific
Connectors initContainers and volumes
Starting with 1.3.1, it is possible to configure initContainers and volumes for connectors. This can be useful to mount custom certificates or execute specific scripts for example. You also have the possibility to enable and configure the persistence of the connectors data if needed.
Example configuration for a CVE connector with initContainer and volume to mount custom certificates
opencti:
connector:
connectors:
- name: cve
enabled: true
initContainers:
- name: cert-init
image: alpine:3.23.3
command: ["sh", "-c"]
volumeMounts:
- name: certs
mountPath: /etc/ssl/certs
- name: cert-secret
mountPath: /usr/share/ca-certificates/cert.pem
subPath: cert.pem
args:
- |
apk --no-cache add --no-check-certificate ca-certificates && update-ca-certificates
volumes:
- name: certs
emptyDir: {}
- name: cert-secret
secret:
defaultMode: 0640
items:
- key: cert.pem
path: cert.pem
optional: false
secretName: my-custom-cert
volumeMounts:
- name: certs
mountPath: /etc/ssl/certs
image:
registry: "docker.io"
repository: "opencti/connector-cve"
env:
OPENCTI_TOKEN: "UUID-TOKEN"
CONNECTOR_TYPE: EXTERNAL_IMPORT
CONNECTOR_NAME: Common Vulnerabilities and Exposures
CONNECTOR_SCOPE: identity,vulnerability
CONNECTOR_RUN_AND_TERMINATE: 'false'
CONNECTOR_LOG_LEVEL: error
CVE_BASE_URL: 'https://services.nvd.nist.gov/rest/json/cves'
CVE_API_KEY: 'YOUR-API-KEY'
CVE_INTERVAL: 2
CVE_MAX_DATE_RANGE: 120
CVE_MAINTAIN_DATA: 'true'
CVE_PULL_HISTORY: 'false'
CVE_HISTORY_START_YEAR: 2024
Example configuration for a CVE connector with persistence enabled
Warning
Connectors are not made to scale up with persistence enabled, if you enable persistence, ensure the replica count is set to 1.
opencti:
connector:
connectors:
- name: cve
enabled: true
persistence:
enabled: true
storageClassName: "my-storage-class"
accessMode: ReadWriteOnce
size: 1Gi
image:
registry: "docker.io"
repository: "opencti/connector-cve"
env:
OPENCTI_TOKEN: "UUID-TOKEN"
CONNECTOR_TYPE: EXTERNAL_IMPORT
CONNECTOR_NAME: Common Vulnerabilities and Exposures
CONNECTOR_SCOPE: identity,vulnerability
CONNECTOR_RUN_AND_TERMINATE: 'false'
CONNECTOR_LOG_LEVEL: error
CVE_BASE_URL: 'https://services.nvd.nist.gov/rest/json/cves'
CVE_API_KEY: 'YOUR-API-KEY'
CVE_INTERVAL: 2
CVE_MAX_DATE_RANGE: 120
CVE_MAINTAIN_DATA: 'true'
CVE_PULL_HISTORY: 'false'
CVE_HISTORY_START_YEAR: 2024
Example configuration for OpenCTI
opencti:
env:
# OpenCTI
APP__ENCRYPTION_KEY: "ChangeMe"
APP__BASE_URL: "http://opencti:8080"
APP__ADMIN__EMAIL: admin@opencti.io
APP__ADMIN__PASSWORD: WhatA_Strong-P4ssword*!
APP__ADMIN__TOKEN: "d99208c3-0eca-4c65-9633-42be3b9c6bb8"
APP__HEALTH_ACCESS_KEY: "8b55aac644e9e6f2701805584cc391ff81d3ecec"
# MinIO
MINIO__ENDPOINT: "https://minio"
MINIO__PORT: "443"
MINIO__BUCKET_NAME: opencti
MINIO__BUCKET_REGION: "eu-west"
MINIO__USE_SSL: true
# Elasticsearch
ELASTICSEARCH__URL: "https://elasticsearch"
ELASTICSEARCH__SSL__REJECT_UNAUTHORIZED: "false"
ELASTICSEARCH__USERNAME: "elastic"
ELASTICSEARCH__INDEX_PREFIX: "opencti"
# RabbitMQ
RABBITMQ__HOSTNAME: https://rabbitmq
RABBITMQ__PORT: "5671"
RABBITMQ__QUEUE_TYPE: classic
RABBITMQ__USE_SSL: "true"
RABBITMQ__PORT_MANAGEMENT: "443"
RABBITMQ__MANAGEMENT_SSL: "true"
# REDIS
REDIS__MODE: "cluster"
REDIS__HOSTNAMES: '["redis:6379"]'
REDIS__HOSTNAME: "redis"
REDIS__NAMESPACE: opencti
REDIS__USE_SSL: "true"
REDIS__NOTIFICATION_TRIMMING: "50000"
REDIS__ACTIVITY_TRIMMING: "50000"
REDIS__TRIMMING: "500000"
envFromSecrets:
ELASTICSEARCH__PASSWORD:
key: elastic
secretName: elasticsearch-es-elastic-user
MINIO__ACCESS_KEY:
key: accessKey
secretName: minio-credentials
MINIO__SECRET_KEY:
key: secretKey
secretName: minio-credentials
RABBITMQ__USERNAME:
key: username
secretName: rabbitmq-default-user
RABBITMQ__PASSWORD:
key: password
secretName: rabbitmq-default-user
REDIS__USERNAME:
secretName: redis-credentials
key: username
REDIS__PASSWORD:
secretName: redis-credentials
key: password
front:
ingress:
enabled: true
className: "nginx" # Update it to reflect your environment
hosts:
- host: opencti.local # Update it to reflect your environment
paths:
- path: /
pathType: Prefix
ingest:
resources:
requests:
cpu: 1
memory: 1Gi
limits:
memory: 2Gi
worker:
env:
OPENCTI_TOKEN: "d99208c3-0eca-4c65-9633-42be3b9c6bb8"
resources:
limits:
memory: 1Gi
requests:
cpu: "1"
memory: 512Mi