From 610bbaafdaa9bc2ec141eb661dacdde9727ff69d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Alejandro=20Marug=C3=A1n?= Date: Sun, 12 Nov 2023 20:43:41 +0100 Subject: [PATCH] feat: create stable release * feat: create stable release * feat: add checker --- .gitignore | 2 + charts/opencti/Chart.yaml | 18 +- charts/opencti/README.md | 86 +++++-- charts/opencti/README.md.gotmpl | 2 +- charts/opencti/ci/ci-values.yaml | 31 +++ .../deployment.yaml} | 0 charts/opencti/templates/role.yaml | 9 - charts/opencti/templates/rolebinding.yaml | 12 - .../deployment.yaml} | 32 ++- .../hpa.yaml} | 0 .../deployment.yaml} | 9 + .../hpa.yaml} | 0 charts/opencti/values.yaml | 226 ++++++++++++++++-- ct.yaml | 2 +- 14 files changed, 355 insertions(+), 74 deletions(-) create mode 100644 .gitignore create mode 100644 charts/opencti/ci/ci-values.yaml rename charts/opencti/templates/{deployment-opencti-connector.yaml => connector/deployment.yaml} (100%) delete mode 100644 charts/opencti/templates/role.yaml delete mode 100644 charts/opencti/templates/rolebinding.yaml rename charts/opencti/templates/{deployment-opencti-server.yaml => server/deployment.yaml} (74%) rename charts/opencti/templates/{hpa-opencti-server.yaml => server/hpa.yaml} (100%) rename charts/opencti/templates/{deployment-opencti-worker.yaml => worker/deployment.yaml} (84%) rename charts/opencti/templates/{hpa-opencti-worker.yaml => worker/hpa.yaml} (100%) diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c9a0a77 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.tgz +Chart.lock \ No newline at end of file diff --git a/charts/opencti/Chart.yaml b/charts/opencti/Chart.yaml index 85220b6..c3e8eb9 100644 --- a/charts/opencti/Chart.yaml +++ b/charts/opencti/Chart.yaml @@ -8,25 +8,29 @@ maintainers: url: https://ialejandro.rocks sources: - https://github.com/OpenCTI-Platform/opencti -version: 1.0.0 -appVersion: "5.8.3" -home: hhttps://www.filigran.io/en/solutions/products/opencti/ +version: 1.1.0 +appVersion: "5.11.13" +home: https://www.filigran.io/en/solutions/products/opencti/ keywords: - opencti dependencies: + - name: elasticsearch + version: 19.13.* + repository: https://charts.bitnami.com/bitnami + condition: elasticsearch.enabled - name: minio - version: 12.6.* + version: 12.8.* repository: https://charts.bitnami.com/bitnami condition: minio.enabled - name: opensearch - version: 2.13.* + version: 2.16.* repository: https://opensearch-project.github.io/helm-charts/ condition: opensearch.enabled - name: rabbitmq - version: 11.13.* + version: 12.3.* repository: https://charts.bitnami.com/bitnami condition: rabbitmq.enabled - name: redis - version: 17.11.* + version: 18.2.* repository: https://charts.bitnami.com/bitnami condition: redis.enabled diff --git a/charts/opencti/README.md b/charts/opencti/README.md index ed36a0f..ae51374 100644 --- a/charts/opencti/README.md +++ b/charts/opencti/README.md @@ -16,10 +16,11 @@ A Helm chart to deploy open cyber threat intelligence platform | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | minio | 12.6.* | -| https://charts.bitnami.com/bitnami | rabbitmq | 11.13.* | -| https://charts.bitnami.com/bitnami | redis | 17.11.* | -| https://opensearch-project.github.io/helm-charts/ | opensearch | 2.13.* | +| https://charts.bitnami.com/bitnami | elasticsearch | 19.13.* | +| https://charts.bitnami.com/bitnami | minio | 12.8.* | +| https://charts.bitnami.com/bitnami | rabbitmq | 12.3.* | +| https://charts.bitnami.com/bitnami | redis | 18.2.* | +| https://opensearch-project.github.io/helm-charts/ | opensearch | 2.16.* | ## Add repository @@ -51,7 +52,7 @@ _See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command doc ## OpenCTI -* [Environment configuration](https://docs.opencti.io/5.8.X/deployment/configuration/#platform) +* [Environment configuration](https://docs.opencti.io/5.11.X/deployment/configuration/#platform) * [Connectors](https://github.com/OpenCTI-Platform/connectors/tree/master). Review `docker-compose.yaml` with the properly config * Check connectors samples on `examples` folder @@ -71,36 +72,89 @@ helm show values devops-ia/opencti | autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage | | connectors | list | `[]` | Connectors ref: https://github.com/OpenCTI-Platform/connectors/tree/master | | connectorsGlobalEnv | string | `nil` | Connector Global environment | -| env | object | `{}` | Environment variables to configure application ref: https://docs.opencti.io/5.8.X/deployment/configuration/#platform | -| envFromSecrets | object | `{}` | Secrets from variables with SOPS cipher | +| elasticsearch | object | `{"clusterName":"elastic","coordinating":{"replicaCount":0},"data":{"persistence":{"enabled":false},"replicaCount":1},"enabled":true,"extraEnvVars":[{"name":"ES_JAVA_OPTS","value":"-Xms512M -Xmx512M"}],"ingest":{"enabled":false},"master":{"masterOnly":true,"persistence":{"enabled":false},"replicaCount":1},"sysctlImage":{"enabled":false}}` | ElasticSearch subchart deployment ref: https://github.com/bitnami/charts/blob/main/bitnami/elasticsearch/values.yaml | +| elasticsearch.clusterName | string | `"elastic"` | Elasticsearch cluster name | +| elasticsearch.coordinating | object | `{"replicaCount":0}` | Coordinating-only nodes parameters | +| elasticsearch.coordinating.replicaCount | int | `0` | Number of coordinating-only replicas to deploy | +| elasticsearch.data | object | `{"persistence":{"enabled":false},"replicaCount":1}` | Data-only nodes parameters | +| elasticsearch.data.persistence | object | `{"enabled":false}` | Enable persistence using Persistent Volume Claims ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | +| elasticsearch.data.persistence.enabled | bool | `false` | Enable persistence using a `PersistentVolumeClaim` | +| elasticsearch.data.replicaCount | int | `1` | Number of data-only replicas to deploy | +| elasticsearch.enabled | bool | `true` | Enable or disable ElasticSearch subchart | +| elasticsearch.ingest | object | `{"enabled":false}` | Ingest-only nodes parameters | +| elasticsearch.ingest.enabled | bool | `false` | Enable ingest nodes | +| elasticsearch.master.masterOnly | bool | `true` | Deploy the Elasticsearch master-elegible nodes as master-only nodes. Recommended for high-demand deployments. | +| elasticsearch.master.persistence | object | `{"enabled":false}` | Enable persistence using Persistent Volume Claims ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | +| elasticsearch.master.persistence.enabled | bool | `false` | Enable persistence using a `PersistentVolumeClaim` | +| elasticsearch.master.replicaCount | int | `1` | Number of master-elegible replicas to deploy | +| env | object | `{"APP__ADMIN__EMAIL":"admin@opencti.io","APP__ADMIN__PASSWORD":"ChangeMe","APP__ADMIN__TOKEN":"ChangeMe","APP__BASE_PATH":"/","ELASTICSEARCH__URL":"http://release-name-elasticsearch:9200","MINIO__ENDPOINT":"release-name-minio:9000","RABBITMQ__HOSTNAME":"release-name-rabbitmq","RABBITMQ__PASSWORD":"ChangeMe","RABBITMQ__PORT":5672,"RABBITMQ__PORT_MANAGEMENT":15672,"RABBITMQ__USERNAME":"user","REDIS__HOSTNAME":"release-name-redis-master","REDIS__MODE":"single","REDIS__PORT":6379}` | Environment variables to configure application ref: https://docs.opencti.io/5.9.X/deployment/configuration/#platform | +| envFromSecrets | object | `{}` | Secrets from variables | | fullnameOverride | string | `""` | String to fully override opencti.fullname template | | global | object | `{"imagePullSecrets":[],"imageRegistry":""}` | Global configuration | | image | object | `{"pullPolicy":"IfNotPresent","repository":"opencti/platform","tag":""}` | Image registry | | imagePullSecrets | list | `[]` | Global Docker registry secret names as an array | | ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Ingress configuration to expose app | -| minio | object | `{"enabled":false}` | MinIO subchart deployment ref: https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml | +| minio | object | `{"auth":{"rootPassword":"ChangeMe","rootUser":"ChangeMe"},"enabled":true,"mode":"standalone","persistence":{"enabled":false}}` | MinIO subchart deployment ref: https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml | +| minio.auth.rootPassword | string | `"ChangeMe"` | Password for Minio root user | +| minio.auth.rootUser | string | `"ChangeMe"` | Minio root username | +| minio.enabled | bool | `true` | Enable or disable MinIO subchart | +| minio.mode | string | `"standalone"` | mode Minio server mode (`standalone` or `distributed`) ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide | +| minio.persistence | object | `{"enabled":false}` | Enable persistence using Persistent Volume Claims ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | +| minio.persistence.enabled | bool | `false` | Enable MinIO data persistence using PVC. If false, use emptyDir | | nameOverride | string | `""` | String to partially override opencti.fullname template (will maintain the release name) | | nodeSelector | object | `{}` | Node labels for pod assignment | -| opensearch | object | `{"enabled":false}` | OpenSearch subchart deployment ref: https://github.com/opensearch-project/helm-charts/blob/opensearch-2.13.0/charts/opensearch/values.yaml | -| rabbitmq | object | `{"enabled":false}` | RabbitMQ subchart deployment ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml | -| redis | object | `{"enabled":false}` | Redis subchart deployment ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml | +| opensearch | object | `{"enabled":false,"opensearchJavaOpts":"-Xmx512M -Xms512M","persistence":{"enabled":false},"singleNode":true}` | OpenSearch subchart deployment ref: https://github.com/opensearch-project/helm-charts/blob/opensearch-2.16.1/charts/opensearch/values.yaml | +| opensearch.enabled | bool | `false` | Enable or disable OpenSearch subchart | +| opensearch.opensearchJavaOpts | string | `"-Xmx512M -Xms512M"` | OpenSearch Java options | +| opensearch.persistence | object | `{"enabled":false}` | Enable persistence using Persistent Volume Claims ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | +| opensearch.singleNode | bool | `true` | If discovery.type in the opensearch configuration is set to "single-node", this should be set to "true" If "true", replicas will be forced to 1 | +| rabbitmq | object | `{"auth":{"erlangCookie":"b25c953e-2193-4b8e-9f3b-9a3a5ba76d75","password":"ChangeMe","username":"user"},"clustering":{"enabled":false},"enabled":true,"persistence":{"enabled":false},"replicaCount":1}` | RabbitMQ subchart deployment ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml | +| rabbitmq.auth | object | `{"erlangCookie":"b25c953e-2193-4b8e-9f3b-9a3a5ba76d75","password":"ChangeMe","username":"user"}` | RabbitMQ Authentication parameters | +| rabbitmq.auth.password | string | `"ChangeMe"` | RabbitMQ application password ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables | +| rabbitmq.auth.username | string | `"user"` | RabbitMQ application username ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables | +| rabbitmq.clustering | object | `{"enabled":false}` | Clustering settings | +| rabbitmq.clustering.enabled | bool | `false` | Enable RabitMQ clustering | +| rabbitmq.enabled | bool | `true` | Enable or disable RabbitMQ subchart | +| rabbitmq.persistence | object | `{"enabled":false}` | Persistence parameters | +| rabbitmq.persistence.enabled | bool | `false` | Enable RabbitMQ data persistence using PVC | +| rabbitmq.replicaCount | int | `1` | Number of RabbitMQ replicas to deploy | +| readyChecker | object | `{"enabled":true,"retries":30,"services":[{"name":"elasticsearch","port":9200},{"name":"minio","port":9000},{"name":"rabbitmq","port":5672},{"name":"redis-master","port":6379}],"timeout":5}` | Enable or disable ready-checker | +| readyChecker.retries | int | `30` | Number of retries before giving up | +| readyChecker.services | list | `[{"name":"elasticsearch","port":9200},{"name":"minio","port":9000},{"name":"rabbitmq","port":5672},{"name":"redis-master","port":6379}]` | List services | +| readyChecker.timeout | int | `5` | Timeout for each check | +| redis | object | `{"architecture":"standalone","auth":{"enabled":false},"enabled":true,"master":{"count":1,"persistence":{"enabled":false}},"replica":{"persistence":{"enabled":false},"replicaCount":1}}` | Redis subchart deployment ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml | +| redis.architecture | string | `"standalone"` | Redis architecture. Allowed values: `standalone` or `replication` | +| redis.auth | object | `{"enabled":false}` | Redis Authentication parameters ref: https://github.com/bitnami/containers/tree/main/bitnami/redis#setting-the-server-password-on-first-run | +| redis.auth.enabled | bool | `false` | Enable password authentication | +| redis.enabled | bool | `true` | Enable or disable Redis subchart | +| redis.master | object | `{"count":1,"persistence":{"enabled":false}}` | Redis master configuration parameters | +| redis.master.count | int | `1` | Number of Redis master instances to deploy (experimental, requires additional configuration) | +| redis.master.persistence | object | `{"enabled":false}` | Persistence parameters ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | +| redis.master.persistence.enabled | bool | `false` | Enable persistence on Redis master nodes using Persistent Volume Claims | +| redis.replica | object | `{"persistence":{"enabled":false},"replicaCount":1}` | Redis replicas configuration parameters | +| redis.replica.persistence | object | `{"enabled":false}` | Persistence parameters ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ | +| redis.replica.persistence.enabled | bool | `false` | Enable persistence on Redis master nodes using Persistent Volume Claims | +| redis.replica.replicaCount | int | `1` | Number of Redis replicas to deploy | | replicaCount | int | `1` | Number of replicas | | resources | object | `{}` | The resources limits and requested | -| secrets | object | `{}` | Secrets values to create credencials (cipher with SOPS) and reference by envFromSecrets | +| secrets | object | `{}` | Secrets values to create credencials and reference by envFromSecrets | | service | object | `{"port":80,"targetPort":4000,"type":"ClusterIP"}` | Kubernetes servide to expose Pod | | service.port | int | `80` | Kubernetes Service port | | service.targetPort | int | `4000` | Pod expose port | | service.type | string | `"ClusterIP"` | Kubernetes Service type. Allowed values: NodePort, LoadBalancer or ClusterIP | | serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Enable creation of ServiceAccount | -| testConnection | bool | `false` | Enable livenessProbe and readinessProbe | +| testConnection | bool | `true` | Enable livenessProbe, readinessProbe and startupProbe | | tolerations | list | `[]` | Tolerations for pod assignment | -| worker | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"enabled":true,"env":{},"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"nodeSelector":{},"replicaCount":1,"resources":{},"tolerations":[]}` | OpenCTI worker deployment configuration | +| worker | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"enabled":true,"env":{"WORKER_LOG_LEVEL":"info"},"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"nodeSelector":{},"readyChecker":{"enabled":true,"retries":30,"timeout":5},"replicaCount":1,"resources":{},"tolerations":[]}` | OpenCTI worker deployment configuration | | worker.affinity | object | `{}` | Affinity for pod assignment | | worker.autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage | -| worker.env | object | `{}` | Environment variables to configure application ref: https://docs.opencti.io/5.8.X/deployment/configuration/#platform | -| worker.envFromSecrets | object | `{}` | Secrets from variables with SOPS cipher | +| worker.env | object | `{"WORKER_LOG_LEVEL":"info"}` | Environment variables to configure application ref: https://docs.opencti.io/5.11.X/deployment/configuration/#platform | +| worker.envFromSecrets | object | `{}` | Secrets from variables | | worker.image | object | `{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""}` | Image registry | | worker.nodeSelector | object | `{}` | Node labels for pod assignment | +| worker.readyChecker | object | `{"enabled":true,"retries":30,"timeout":5}` | Enable or disable ready-checker waiting server is ready | +| worker.readyChecker.retries | int | `30` | Number of retries before giving up | +| worker.readyChecker.timeout | int | `5` | Timeout for each check | | worker.replicaCount | int | `1` | Number of replicas | | worker.resources | object | `{}` | The resources limits and requested | | worker.tolerations | list | `[]` | Tolerations for pod assignment | \ No newline at end of file diff --git a/charts/opencti/README.md.gotmpl b/charts/opencti/README.md.gotmpl index 57f1629..1a59a3d 100644 --- a/charts/opencti/README.md.gotmpl +++ b/charts/opencti/README.md.gotmpl @@ -40,7 +40,7 @@ _See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command doc ## OpenCTI -* [Environment configuration](https://docs.opencti.io/5.8.X/deployment/configuration/#platform) +* [Environment configuration](https://docs.opencti.io/5.11.X/deployment/configuration/#platform) * [Connectors](https://github.com/OpenCTI-Platform/connectors/tree/master). Review `docker-compose.yaml` with the properly config * Check connectors samples on `examples` folder diff --git a/charts/opencti/ci/ci-values.yaml b/charts/opencti/ci/ci-values.yaml new file mode 100644 index 0000000..d8f1699 --- /dev/null +++ b/charts/opencti/ci/ci-values.yaml @@ -0,0 +1,31 @@ +replicaCount: 1 +fullnameOverride: opencti-ci + +env: + APP__ADMIN__PASSWORD: test + APP__ADMIN__TOKEN: b1976749-8a53-4f49-bf04-cafa2a3458c1 + APP__BASE_PATH: "/" + MINIO__ENDPOINT: opencti-ci-minio + ELASTICSEARCH__URL: http://opencti-ci-elasticsearch:9200 + ELASTICSEARCH__ENGINE_SELECTOR: elk + RABBITMQ__HOSTNAME: opencti-ci-rabbitmq + REDIS__HOSTNAME: opencti-ci-redis-master + REDIS__PORT: 6379 + REDIS__MODE: single + +testConnection: false + +worker: + enabled: false + +elasticsearch: + fullnameOverride: opencti-ci-elasticsearch + +minio: + fullnameOverride: opencti-ci-minio + +rabbitmq: + fullnameOverride: opencti-ci-rabbitmq + +redis: + fullnameOverride: opencti-ci-redis diff --git a/charts/opencti/templates/deployment-opencti-connector.yaml b/charts/opencti/templates/connector/deployment.yaml similarity index 100% rename from charts/opencti/templates/deployment-opencti-connector.yaml rename to charts/opencti/templates/connector/deployment.yaml diff --git a/charts/opencti/templates/role.yaml b/charts/opencti/templates/role.yaml deleted file mode 100644 index 3563833..0000000 --- a/charts/opencti/templates/role.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "opencti.fullname" . }}-restart-services -rules: - - apiGroups: ["apps", "extensions"] - resources: ["deployments"] - resourceNames: ["{{ include "opencti.fullname" . }}-server", "{{ include "opencti.fullname" . }}-worker"] - verbs: ["get", "patch", "list", "watch"] \ No newline at end of file diff --git a/charts/opencti/templates/rolebinding.yaml b/charts/opencti/templates/rolebinding.yaml deleted file mode 100644 index de30ab1..0000000 --- a/charts/opencti/templates/rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: deployment-restart-rbc -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "opencti.fullname" . }}-restart-services -subjects: - - kind: ServiceAccount - name: {{ include "opencti.fullname" . }} - namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/opencti/templates/deployment-opencti-server.yaml b/charts/opencti/templates/server/deployment.yaml similarity index 74% rename from charts/opencti/templates/deployment-opencti-server.yaml rename to charts/opencti/templates/server/deployment.yaml index 1578650..35c5078 100644 --- a/charts/opencti/templates/deployment-opencti-server.yaml +++ b/charts/opencti/templates/server/deployment.yaml @@ -37,12 +37,23 @@ spec: serviceAccountName: {{ include "opencti.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.readyChecker.enabled }} + initContainers: + {{- range $service := .Values.readyChecker.services }} + - name: ready-checker-{{ $service.name }} + image: busybox:latest + command: + - 'sh' + - '-c' + - 'RETRY=0; until [ $RETRY -eq {{ $.Values.readyChecker.retries }} ]; do nc -zv {{ $.Values.fullnameOverride | default $.Release.Name }}-{{ $service.name }} {{ $service.port }} && break; echo "[$RETRY/{{ $.Values.readyChecker.retries }}] waiting service {{ $.Values.fullnameOverride | default $.Release.Name }}-{{ $service.name }}:{{ $service.port }} is ready"; sleep {{ $.Values.readyChecker.timeout }}; RETRY=$(($RETRY + 1)); done' + {{- end }} + {{- end }} containers: - name: {{ .Chart.Name }}-server securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - {{- if $.Values.global.imageRegistry }} - image: "{{ $.Values.global.imageRegistry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- if .Values.global.imageRegistry }} + image: "{{ .Values.global.imageRegistry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" {{- else }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" {{- end }} @@ -62,8 +73,8 @@ spec: path: {{ .Values.service.healthPath | default "/dashboard" }} port: {{ .Values.service.targetPort | default .Values.service.port }} failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 + initialDelaySeconds: 90 + periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 readinessProbe: @@ -71,8 +82,17 @@ spec: path: {{ .Values.service.healthPath | default "/dashboard" }} port: {{ .Values.service.targetPort | default .Values.service.port }} failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 10 + initialDelaySeconds: 90 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + startupProbe: + httpGet: + path: {{ .Values.service.healthPath | default "/dashboard" }} + port: {{ .Values.service.targetPort | default .Values.service.port }} + failureThreshold: 3 + initialDelaySeconds: 90 + periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 {{- end }} diff --git a/charts/opencti/templates/hpa-opencti-server.yaml b/charts/opencti/templates/server/hpa.yaml similarity index 100% rename from charts/opencti/templates/hpa-opencti-server.yaml rename to charts/opencti/templates/server/hpa.yaml diff --git a/charts/opencti/templates/deployment-opencti-worker.yaml b/charts/opencti/templates/worker/deployment.yaml similarity index 84% rename from charts/opencti/templates/deployment-opencti-worker.yaml rename to charts/opencti/templates/worker/deployment.yaml index e643cbe..93fe54b 100644 --- a/charts/opencti/templates/deployment-opencti-worker.yaml +++ b/charts/opencti/templates/worker/deployment.yaml @@ -38,6 +38,15 @@ spec: serviceAccountName: {{ include "opencti.serviceAccountName" . }} securityContext: {{- toYaml .Values.worker.podSecurityContext | nindent 8 }} + {{- if .Values.readyChecker.enabled }} + initContainers: + - name: ready-checker-server + image: busybox:latest + command: + - 'sh' + - '-c' + - 'RETRY=0; until [ $RETRY -eq {{ $.Values.worker.readyChecker.retries }} ]; do nc -zv {{ $.Values.fullnameOverride | default $.Release.Name }}-server {{ $.Values.service.port }} && break; echo "[$RETRY/{{ $.Values.worker.readyChecker.retries }}] waiting service {{ $.Values.fullnameOverride | default $.Release.Name }}-server:{{ $.Values.service.port }} is ready"; sleep {{ $.Values.worker.readyChecker.timeout }}; RETRY=$(($RETRY + 1)); done' + {{- end }} containers: - name: {{ .Chart.Name }}-worker securityContext: diff --git a/charts/opencti/templates/hpa-opencti-worker.yaml b/charts/opencti/templates/worker/hpa.yaml similarity index 100% rename from charts/opencti/templates/hpa-opencti-worker.yaml rename to charts/opencti/templates/worker/hpa.yaml diff --git a/charts/opencti/values.yaml b/charts/opencti/values.yaml index 024f65f..2313eb2 100644 --- a/charts/opencti/values.yaml +++ b/charts/opencti/values.yaml @@ -1,10 +1,10 @@ # -- Global configuration global: imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - name: myRegistryKeySecretName - ## + # E.g. + # imagePullSecrets: + # - name: myRegistryKeySecretName + # imagePullSecrets: [] # -- Number of replicas @@ -37,20 +37,39 @@ serviceAccount: name: "" # -- Environment variables to configure application -# ref: https://docs.opencti.io/5.8.X/deployment/configuration/#platform -env: {} +# ref: https://docs.opencti.io/5.9.X/deployment/configuration/#platform +env: # Plain vars # foo: bar # my_env: my_value - -# -- Secrets from variables with SOPS cipher + # APP OPENCTI + APP__ADMIN__EMAIL: admin@opencti.io + APP__ADMIN__PASSWORD: ChangeMe + APP__ADMIN__TOKEN: ChangeMe + APP__BASE_PATH: "/" + # MINIO: + MINIO__ENDPOINT: release-name-minio:9000 + # ELASTICSEARCH + ELASTICSEARCH__URL: http://release-name-elasticsearch:9200 + # RABBITMQ + RABBITMQ__HOSTNAME: release-name-rabbitmq + RABBITMQ__PORT_MANAGEMENT: 15672 + RABBITMQ__PORT: 5672 + RABBITMQ__USERNAME: user + RABBITMQ__PASSWORD: ChangeMe + # REDIS + REDIS__HOSTNAME: release-name-redis-master + REDIS__PORT: 6379 + REDIS__MODE: single + +# -- Secrets from variables envFromSecrets: {} # Cipher vars # my_env: # name: release-name-credentials # key: secret_key -# -- Secrets values to create credencials (cipher with SOPS) and reference by envFromSecrets +# -- Secrets values to create credencials and reference by envFromSecrets secrets: {} # -- Kubernetes servide to expose Pod @@ -69,8 +88,26 @@ service: # port: 9080 # targetPort: 9080 -# -- Enable livenessProbe and readinessProbe -testConnection: false +# -- Enable livenessProbe, readinessProbe and startupProbe +testConnection: true + +# -- Enable or disable ready-checker +readyChecker: + enabled: true + # -- Number of retries before giving up + retries: 30 + # -- Timeout for each check + timeout: 5 + # -- List services + services: + - name: elasticsearch + port: 9200 + - name: minio + port: 9000 + - name: rabbitmq + port: 5672 + - name: redis-master + port: 6379 # -- Ingress configuration to expose app ingress: @@ -143,7 +180,7 @@ connectors: [] # # my_env: my_value # # -- Pod annotations # podAnnotations: {} -# # -- Secrets from variables with SOPS cipher +# # -- Secrets from variables # envFromSecrets: {} # # Cipher vars # # my_env: @@ -176,6 +213,14 @@ worker: # -- Number of replicas replicaCount: 1 + # -- Enable or disable ready-checker waiting server is ready + readyChecker: + enabled: true + # -- Number of retries before giving up + retries: 30 + # -- Timeout for each check + timeout: 5 + # -- Image registry image: repository: opencti/worker @@ -184,13 +229,14 @@ worker: tag: "" # -- Environment variables to configure application - # ref: https://docs.opencti.io/5.8.X/deployment/configuration/#platform - env: {} + # ref: https://docs.opencti.io/5.11.X/deployment/configuration/#platform + env: # Plain vars # foo: bar # my_env: my_value + WORKER_LOG_LEVEL: info - # -- Secrets from variables with SOPS cipher + # -- Secrets from variables envFromSecrets: {} # Cipher vars # my_env: @@ -227,24 +273,160 @@ worker: # -- Affinity for pod assignment affinity: {} +# -- OpenSearch subchart deployment +# ref: https://github.com/opensearch-project/helm-charts/blob/opensearch-2.16.1/charts/opensearch/values.yaml +opensearch: + # -- Enable or disable OpenSearch subchart + enabled: false + + # -- OpenSearch Java options + opensearchJavaOpts: "-Xmx512M -Xms512M" + + # -- If discovery.type in the opensearch configuration is set to "single-node", + # this should be set to "true" + # If "true", replicas will be forced to 1 + singleNode: true + + # -- Enable persistence using Persistent Volume Claims + # ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + persistence: + enabled: false + +# -- ElasticSearch subchart deployment +# ref: https://github.com/bitnami/charts/blob/main/bitnami/elasticsearch/values.yaml +elasticsearch: + # -- Enable or disable ElasticSearch subchart + enabled: true + + ## Kernel settings modifier image + ## + sysctlImage: + ## @param sysctlImage.enabled Enable kernel settings modifier image + ## + enabled: false + + # -- Elasticsearch cluster name + clusterName: elastic + + extraEnvVars: + - name: ES_JAVA_OPTS + value: "-Xms512M -Xmx512M" + + ## @section Master-elegible nodes parameters + master: + # -- Deploy the Elasticsearch master-elegible nodes as master-only nodes. Recommended for high-demand deployments. + masterOnly: true + # -- Number of master-elegible replicas to deploy + replicaCount: 1 + # -- Enable persistence using Persistent Volume Claims + # ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + persistence: + # -- Enable persistence using a `PersistentVolumeClaim` + enabled: false + + # -- Data-only nodes parameters + data: + # -- Number of data-only replicas to deploy + replicaCount: 1 + + # -- Enable persistence using Persistent Volume Claims + # ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + persistence: + # -- Enable persistence using a `PersistentVolumeClaim` + enabled: false + + # -- Ingest-only nodes parameters + ingest: + # -- Enable ingest nodes + enabled: false + + # -- Coordinating-only nodes parameters + coordinating: + # -- Number of coordinating-only replicas to deploy + replicaCount: 0 # -- MinIO subchart deployment # ref: https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml # minio: - enabled: false + # -- Enable or disable MinIO subchart + enabled: true -# -- OpenSearch subchart deployment -# ref: https://github.com/opensearch-project/helm-charts/blob/opensearch-2.13.0/charts/opensearch/values.yaml -opensearch: - enabled: false + # -- mode Minio server mode (`standalone` or `distributed`) + # ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide + mode: standalone + # Minio authentication parameters + auth: + # -- Minio root username + rootUser: ChangeMe + # -- Password for Minio root user + rootPassword: ChangeMe + + # -- Enable persistence using Persistent Volume Claims + # ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + persistence: + # -- Enable MinIO data persistence using PVC. If false, use emptyDir + enabled: false # -- RabbitMQ subchart deployment # ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml rabbitmq: - enabled: false + # -- Enable or disable RabbitMQ subchart + enabled: true + + # -- Number of RabbitMQ replicas to deploy + replicaCount: 1 + + # -- Clustering settings + clustering: + # -- Enable RabitMQ clustering + enabled: false + + # -- RabbitMQ Authentication parameters + auth: + # -- RabbitMQ application username + # ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables + username: user + # -- RabbitMQ application password + # ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables + password: ChangeMe + erlangCookie: b25c953e-2193-4b8e-9f3b-9a3a5ba76d75 + + # -- Persistence parameters + persistence: + # -- Enable RabbitMQ data persistence using PVC + enabled: false # -- Redis subchart deployment # ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml redis: - enabled: false + # -- Enable or disable Redis subchart + enabled: true + + # -- Redis architecture. Allowed values: `standalone` or `replication` + architecture: standalone + # -- Redis Authentication parameters + # ref: https://github.com/bitnami/containers/tree/main/bitnami/redis#setting-the-server-password-on-first-run + auth: + # -- Enable password authentication + enabled: false + + # -- Redis master configuration parameters + master: + # -- Number of Redis master instances to deploy (experimental, requires additional configuration) + count: 1 + # -- Persistence parameters + # ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + persistence: + # -- Enable persistence on Redis master nodes using Persistent Volume Claims + enabled: false + + # -- Redis replicas configuration parameters + replica: + # -- Number of Redis replicas to deploy + replicaCount: 1 + # -- Persistence parameters + # ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + persistence: + # -- Enable persistence on Redis master nodes using Persistent Volume Claims + enabled: false diff --git a/ct.yaml b/ct.yaml index 683be27..a114696 100644 --- a/ct.yaml +++ b/ct.yaml @@ -7,5 +7,5 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami - opensearch=https://opensearch-project.github.io/helm-charts/ - oauth2-proxy=https://oauth2-proxy.github.io/manifests/ -helm-extra-args: --timeout 600s --wait +helm-extra-args: --timeout 600s debug: true