Skip to content

Installation of OpenCTI using external backends

Info

Use this installation method when you can provide high-availability backends/databases required by OpenCTI using managed services or in-house deployments managed by an experienced team. This is the recommended scenario, and the OpenCTI helm chart provided by Filigran will solely deploy & configure OpenCTI software, which are mostly stateless by nature (don't require long-lived disk storage).

Requirements

To deploy OpenCTI, the following information are required and will be given as values to the helm chart:

  • ElasticSearch or OpenSearch cluster
    • endpoint / URL
    • login & password
  • Rabbitmq
    • endpoint / URL
    • login & password
    • virtualhost
  • S3
    • endpoint / URL
    • login & password
    • bucket name
    • bucket region
  • Redis
    • endpoint / URL
    • login & password (optional)
    • namespace

Air gapped environments

If your deployment will not be directly connected to internet to pull images, you will need to prefetch or whitelist the following repos:

  • OpenCTI: docker.io/opencti
  • XTM Composer: docker.io/filigran

Deployment using the helm chart

Create the kubernetes secrets to store backends credentials

OpenCTI components connects to the various backends and thus need to have the credentials configured appropriately. It is recommended to store those credentials in Kubernetes secrets and use the envFromSecrets parameters of the Helm chart to reference those secrets.

You are free to store those secrets as you wish. Below is an example of what is expected if the default values of the Helm chart are used, please update the value of the secrets to reflect your environment:

  • Create the namespace so that the secrets are placed there 
kubectl create ns opencti

  • Elasticsearch / OpenSearch

    Create a file elasticsearch-credentials.yml 

    apiVersion: v1
kind: Secret
metadata:
  name: elasticsearch-es-elastic-user
  namespace: opencti
type: Opaque
data:
  elastic: Y2hhbmdlX21lCg== # Base64-encoded value of "change_me"
    Create the secret 
    kubectl apply -f elasticsearch-credentials.yml

  • S3 / MinIO

    Create a file minio-credentials.yml 

    apiVersion: v1
kind: Secret
metadata:
  name: minio-credentials
  namespace: opencti
type: Opaque
data:
  accessKey: Y2hhbmdlX21lCg== # Base64-encoded value of "change_me"
  secretKey: Y2hhbmdlX21lCg== # Base64-encoded value of "change_me"
    Create the secret 
    kubectl apply -f minio-credentials.yml

  • RabbitMQ

    Create a file rabbitmq-credentials.yml 

    apiVersion: v1
kind: Secret
metadata:
  name: rabbitmq-default-user
  namespace: opencti
type: Opaque
data:
  username: Y2hhbmdlX21lCg== # Base64-encoded value of "change_me"
  password: Y2hhbmdlX21lCg== # Base64-encoded value of "change_me"
    Create the secret 
    kubectl apply -f rabbitmq-credentials.yml

  • Redis

    Create a file redis-credentials.yml 

    apiVersion: v1
kind: Secret
metadata:
  name: redis-credentials
  namespace: opencti
type: Opaque
data:
  username: Y2hhbmdlX21lCg== # Base64-encoded value of "change_me"
  password: Y2hhbmdlX21lCg== # Base64-encoded value of "change_me"
    Create the secret 
    kubectl apply -f redis-credentials.yml

Create a custom values.yaml file

Create a values.yaml file to overwrite the default Helm configuration to match your environment. Edit the file according to the step below.

Configure the external backends

Below are generic examples. Please, configure it to reflect your actual environments:

  • Elasticsearch / OpenSearch

    opencti:
  env: 
    ELASTICSEARCH__USERNAME: elastic
    ELASTICSEARCH__URL: "<Your Elasticsearch endpoint>"
  envFromSecrets:
    ELASTICSEARCH__PASSWORD:
      secretName: elasticsearch-es-elastic-user
      key: elastic

    Info

    For a full list of OpenCTI supported Elasticsearch / OpenSearch environment variables, please see the official OpenCTI documentation.

  • S3 / MinIO

    opencti:
  env:
    # MinIO
    MINIO__ENDPOINT: "<Your MinIO endpoint>"
    MINIO__PORT: 443
    MINIO__BUCKET_NAME: "<Your MinIO bucket name>"
    MINIO__BUCKET_REGION: "<Your MinIO bucket region>"
    MINIO__USE_SSL: "true"
  envFromSecrets:
    MINIO__ACCESS_KEY:
      secretName: minio-credentials
      key: accessKey
    MINIO__SECRET_KEY:
      secretName: minio-credentials
      key: secretKey

    Info

    For a full list of OpenCTI supported S3 / MinIO environment variables, please see the official OpenCTI documentation.

  • RabbitMQ

    opencti:
  env:
    RABBITMQ__QUEUE_TYPE: "classic"
    RABBITMQ__HOSTNAME: "<Your RabbitMQ endpoint>"
    RABBITMQ__PORT: 5672
    RABBITMQ__PORT_MANAGEMENT: 443
    RABBITMQ__USE_SSL: "true"
  envFromSecrets:
    RABBITMQ__USERNAME:
      secretName: rabbitmq-default-user
      key: username
    RABBITMQ__PASSWORD:
      secretName: rabbitmq-default-user
      key: password

    Info

    For a full list of OpenCTI supported RabbitMQ environment variables, please see the official OpenCTI documentation.

  • Redis

    opencti:
  env:
    REDIS__MODE: "sentinel"
    REDIS__HOSTNAMES: '["<Your Redis endpoint>:<Your Redis port>"]'
    REDIS__HOSTNAME: "<Your Redis endpoint>"
    REDIS__PORT: 6379
    REDIS__USE_SSL: "true"
    REDIS__NAMESPACE: "opencti" # Prefix for Redis keys
  envFromSecrets:
    REDIS__USERNAME:
      secretName: redis-credentials
      key: username
    REDIS__PASSWORD:
      secretName: redis-credentials
      key: password

    Info

    For a full list of OpenCTI supported Redis environment variables, please see the official OpenCTI documentation.

Configure OpenCTI

opencti:
  version: "6.7.11"
  env:
    # OpenCTI
    APP__BASE_URL: "<Your OpenCTI domain>"
    APP__ADMIN__EMAIL: admin@opencti.io
    APP__ADMIN__PASSWORD: ChangeMe
    APP__ADMIN__TOKEN: "<A valid UUIDv4 token>"
    APP__HEALTH_ACCESS_KEY: ChangeMe

Info

OpenCTI can be configured quite extensively, feel free to refer to the OpenCTI documentation for more information.

Configure the OpenCTI ingress to access your instance

opencti:
  front:
    ingress:
      enabled: true
      className: "The IngressClassName you want to use"
      annotations: {} # Optional annotations for your Ingress
      hosts:
        - host: "<Your OpenCTI domain>"
          paths:
            - path: /
              pathType: ImplementationSpecific
      tls:
        - secretName: "<The Kubernetes secret containing your certificate>"
          hosts:
            - "<Your OpenCTI domain>"

Info

The tls part is optional but strongly recommended. Feel free to add annotations to this ingress if you rely on external tools to manage your TLS certificates like cert-manager for example.

Connectors

The chart gives you the possibility to declare the connectors that will be deployed along your OpenCTI instance.

  • Example with IP info
opencti:
  connector:
    connectors:
      - name: ipinfo
        image:
          registry: "docker.io"
          repository: "opencti/connector-ipinfo"
          pullPolicy: "IfNotPresent"
        replicaCount: 1
        podLabels:
          app: opencti-connector-ipinfo
        env:
          OPENCTI_TOKEN: "ChangeMe"
          CONNECTOR_NAME: IPInfo
          CONNECTOR_SCOPE: IPv4-Addr
          CONNECTOR_TYPE: INTERNAL_ENRICHMENT
          CONNECTOR_ID: "ChangeMe"
          CONNECTOR_LOG_LEVEL: error
          IPINFO_MAX_TLP: TLP:AMBER
          IPINFO_TOKEN: "ChangeMe"

Connector value env can also be stored in a kubernetes secret. * Exemple with the connector env variable OPENCTI_TOKEN

apiVersion: v1
kind: Secret
metadata:
  name: ChangeMe
  namespace: opencti
type: Opaque
data:
  OPENCTI_TOKEN: Y2hhbmdlX21lCg== # Base64-encoded value of "change_me"

opencti:
  connector:
    connectors:
      - name: ipinfo
        image:
          registry: "docker.io"
          repository: "opencti/connector-ipinfo"
          pullPolicy: "IfNotPresent"
        replicaCount: 1
        podLabels:
          app: opencti-connector-ipinfo
        envFromSecrets:
          OPENCTI_TOKEN:
            key: OPENCTI_TOKEN
            secretName: ChangeMe
        env:
          CONNECTOR_NAME: IPInfo
          CONNECTOR_SCOPE: IPv4-Addr
          CONNECTOR_TYPE: INTERNAL_ENRICHMENT
          CONNECTOR_ID: "ChangeMe"
          CONNECTOR_LOG_LEVEL: error
          IPINFO_MAX_TLP: TLP:AMBER
          IPINFO_TOKEN: "ChangeMe"

Connectors must be configured appropriately using environment variables. Although some variables can be common to all connectors (which can be configured with the opencti.connector.commonEnv parameter), some require specific configuration that can be found directly on GitHub, see OpenCTI-Platform/connectors.

For more information about what are connectors and how do they run on OpenCTI, please refer to the OpenCTI documentation.

Deploy!

  • Login to the Filigran registry with the credentials provided by Filigran

    helm registry login -u your_user -p your_password filigran.jfrog.io

You can directly deploy the chart on your cluster with the commands below

  • Initial deployment (if no version specified, will use latest, to use one just add --version x.x.x) :

    helm install opencti oci://filigran.jfrog.io/filigran-ee/opencti -f values.yaml -n opencti --create-namespace

  • Or, on configuration change / upgrade (if no version specified, will use latest, to use one just add --version x.x.x):

    helm upgrade opencti oci://filigran.jfrog.io/filigran-ee/opencti --install -f values.yaml -n opencti

If you wish to pull the chart beforehand, and apply it later you can run the following commands:

helm pull oci://filigran.jfrog.io/filigran-ee/opencti --version x.x.x
helm apply opencti-x.x.x.tgz -f values.yaml