Requirements for a deployment of OpenCTI with helm-managed backends

To manage the backends/databases required by OpenCTI, the helm chart relies on the following operators:

Info

Operators are components that manages the lifecycle of your resources and lift part of the complexity of the said resources configuration.

More information about operators can be found in the official kubernetes documentation

• Elastic Cloud on Kubernetes operator - by Elasticsearch vendor
• RabbitMQ Cluster operator - By RabbitMQ vendor
• MinIO Operator - By MinIO vendor

No operator / configuration was deemed satisfactory to setup a highly available Redis database. The helm chart includes a Sentinel-based highly available database without any external requirement.

Air gapped environments

If your deployment will not be directly connected to internet to pull images, you will need to prefetch or whitelist the following repos:

• Elasticsearch: docker.elastic.co/elasticsearch
• Kibana: docker.elastic.co/kibana
• MinIO: quay.io/minio
• OpenCTI: docker.io/opencti
• XTM Composer: docker.io/filigran
• RabbitMQ: docker.io/rabbitmq
• RabbitMQ Operator: docker.io/rabbitmqoperator
• Redis: docker.io/redis

Install required operators

ElasticSearch

helm repo add elastic https://helm.elastic.co
helm repo update
helm install elastic-operator elastic/eck-operator -n operator-elastic --create-namespace

RabbitMQ

kubectl apply -f "https://github.com/rabbitmq/cluster-operator/releases/latest/download/cluster-operator.yml"

MinIO

helm repo add minio-operator https://operator.min.io
helm repo update
helm install minio-operator minio-operator/operator -n operator-minio --create-namespace

Configure a default storage class

Because your Kubernetes cluster will be hosting the volumes for the different backups, it will need to have a way to create the volumes automatically. For this you have to configure a default storage class that will be used by this Helm chart.

You can also use the storage class of your choice by overriding the corresponding parameter for each backend in your values.

Configure your RSA Key for the XTM Composer

With the 6.8.0 release of OpenCTI, a new component called the XTM Composer is now available. This helm chart include the deployment of the composer but requires the generation of an RSA key which is used to ensure the communication between the platform and the composer.

It is currently disabled by default but can be turned on by setting the enabled switch to true in your values. If you wish to not turn it on, you can skip the RSA key creation.

You can generate the key and create the appropriate Kubernetes secrets with the following instructions

# Generate key
openssl genrsa -out private_key_4096.pem 4096

# Create secret (review the -n parameter to make sure it fits your namespace)
kubectl create secret generic xtm-composer-rsakey \
  --from-file=private_key.pem=private_key_4096.pem \
  -n opencti

Info

The data inside the secret here will be named private_key.pem. Make sure that the value for xtmComposer.rsaKeyFileName is coherent with the secret you have generated. The default value is like in this example private_key.pem.