# opencti A Helm chart to deploy Open Cyber Threat Intelligence platform > [!NOTE] > The default `values.yaml` provided with this chart will **not work out-of-the-box**. > Please refer to the [`ci/ci-standalone-values.yaml`](./ci/ci-standalone-values.yaml) example for a working configuration suitable for CI/CD installations. > Additionally, make sure to read the [`docs/configuration.md`](./docs/configuration.md) guide for detailed configuration instructions and best practices. ## Maintainers | Name | Email | Url | | ---- | ------ | --- | | ialejandro | | | ## Prerequisites * Helm 3+ ## Requirements | Repository | Name | Version | |------------|------|---------| | https://charts.min.io/ | minio | 5.4.0 | | https://helm.elastic.co | eck-stack | 0.16.0 | | https://opensearch-project.github.io/helm-charts/ | opensearch | 3.2.1 | | oci://ghcr.io/dragonflydb/dragonfly/helm | redis(dragonfly) | v1.34.1 | | oci://registry-1.docker.io/bitnamicharts | rabbitmq | 16.0.13 | ## Add repository ```console helm repo add opencti https://devops-ia.github.io/helm-opencti helm repo update ``` ## Install Helm chart (repository mode) ```console helm install [RELEASE_NAME] opencti/opencti ``` This install all the Kubernetes components associated with the chart and creates the release. _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ ## Install Helm chart (OCI mode) Charts are also available in OCI format. The list of available charts can be found [here](https://github.com/devops-ia/helm-opencti/pkgs/container/helm-opencti%2Fopencti). ```console helm install [RELEASE_NAME] oci://ghcr.io/devops-ia/helm-opencti/opencti --version=[version] ``` ## Uninstall Helm chart ```console helm uninstall [RELEASE_NAME] ``` This removes all the Kubernetes components associated with the chart and deletes the release. _See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ ## OpenCTI * [Environment configuration](https://docs.opencti.io/latest/deployment/configuration/#platform) * [Connectors](https://github.com/OpenCTI-Platform/connectors/tree/master). Review `docker-compose.yaml` with the properly config * Check connectors samples on [`connector-examples`](./connector-examples) folder ## Basic installation and examples See [basic installation](docs/configuration.md), [clustering installation](docs/configuration-clustering-mode.md) and [examples](docs/examples.md). ## Upgrades See [Upgrade guide: v1 to v2](docs/guides/UPGRADE-v1-to-v2.md) ## Configuration See [Customizing the chart before installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with comments: ```console helm show values opencti/opencti ``` ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | | args | list | `[]` | Configure args
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | | autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage
Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | | clustering | object | `{"enabled":false,"frontend":{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70,"targetMemoryUtilizationPercentage":80},"enabled":true,"env":{"NOTIFICATION_MANAGER__ENABLED":false,"RULE_ENGINE__ENABLED":false,"TASK_SCHEDULER__ENABLED":false},"ingress":{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"opencti-frontend.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"podDisruptionBudget":{"enabled":false,"maxUnavailable":1},"replicaCount":2,"resources":{},"service":{"annotations":{},"appProtocol":"HTTP","extraPorts":[],"labels":{},"port":80,"portName":"http","protocol":"TCP","targetPort":4000,"type":"ClusterIP"},"tolerations":[],"topologySpreadConstraints":[]},"ingestion":{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":20,"minReplicas":3,"targetCPUUtilizationPercentage":80,"targetMemoryUtilizationPercentage":85},"enabled":true,"env":{},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"podDisruptionBudget":{"enabled":false,"maxUnavailable":2},"replicaCount":3,"resources":{},"service":{"annotations":{},"appProtocol":"HTTP","extraPorts":[],"labels":{},"port":80,"portName":"http","protocol":"TCP","targetPort":4000,"type":"ClusterIP"},"tolerations":[],"topologySpreadConstraints":[]}}` | OpenCTI Clustering configuration | | clustering.enabled | bool | `false` | Enable or disable clustering mode | | clustering.frontend | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70,"targetMemoryUtilizationPercentage":80},"enabled":true,"env":{"NOTIFICATION_MANAGER__ENABLED":false,"RULE_ENGINE__ENABLED":false,"TASK_SCHEDULER__ENABLED":false},"ingress":{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"opencti-frontend.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"podDisruptionBudget":{"enabled":false,"maxUnavailable":1},"replicaCount":2,"resources":{},"service":{"annotations":{},"appProtocol":"HTTP","extraPorts":[],"labels":{},"port":80,"portName":"http","protocol":"TCP","targetPort":4000,"type":"ClusterIP"},"tolerations":[],"topologySpreadConstraints":[]}` | Frontend cluster configuration (UI/API) | | clustering.frontend.affinity | object | `{}` | Frontend affinity | | clustering.frontend.autoscaling | object | `{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70,"targetMemoryUtilizationPercentage":80}` | Frontend autoscaling | | clustering.frontend.enabled | bool | `true` | Enable frontend deployment | | clustering.frontend.env | object | `{"NOTIFICATION_MANAGER__ENABLED":false,"RULE_ENGINE__ENABLED":false,"TASK_SCHEDULER__ENABLED":false}` | Environment variables específicas para frontend
https://docs.opencti.io/latest/deployment/clustering/#managers-and-schedulers | | clustering.frontend.ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"opencti-frontend.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Frontend ingress configuration | | clustering.frontend.networkPolicy | object | `{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]}` | Frontend network policy | | clustering.frontend.podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1}` | Frontend pod disruption budget | | clustering.frontend.replicaCount | int | `2` | Number of replicas for frontend | | clustering.frontend.resources | object | `{}` | Frontend resources | | clustering.frontend.service | object | `{"annotations":{},"appProtocol":"HTTP","extraPorts":[],"labels":{},"port":80,"portName":"http","protocol":"TCP","targetPort":4000,"type":"ClusterIP"}` | Frontend service configuration | | clustering.frontend.service.annotations | object | `{}` | Annotations for the service | | clustering.frontend.service.appProtocol | string | `"HTTP"` | Application protocol (HTTP, HTTPS, etc.) | | clustering.frontend.service.extraPorts | list | `[]` | Pod extra ports | | clustering.frontend.service.labels | object | `{}` | Additional labels for the service | | clustering.frontend.service.port | int | `80` | Kubernetes Service port | | clustering.frontend.service.portName | string | `"http"` | Name for the service port | | clustering.frontend.service.protocol | string | `"TCP"` | Protocol for the service port | | clustering.frontend.service.targetPort | int | `4000` | Pod expose port | | clustering.frontend.service.type | string | `"ClusterIP"` | Kubernetes Service type | | clustering.frontend.tolerations | list | `[]` | Frontend tolerations | | clustering.frontend.topologySpreadConstraints | list | `[]` | Frontend topology spread constraints | | clustering.ingestion | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":20,"minReplicas":3,"targetCPUUtilizationPercentage":80,"targetMemoryUtilizationPercentage":85},"enabled":true,"env":{},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"podDisruptionBudget":{"enabled":false,"maxUnavailable":2},"replicaCount":3,"resources":{},"service":{"annotations":{},"appProtocol":"HTTP","extraPorts":[],"labels":{},"port":80,"portName":"http","protocol":"TCP","targetPort":4000,"type":"ClusterIP"},"tolerations":[],"topologySpreadConstraints":[]}` | Ingestion cluster configuration (Processing/Workers) | | clustering.ingestion.affinity | object | `{}` | Ingestion affinity | | clustering.ingestion.autoscaling | object | `{"enabled":false,"maxReplicas":20,"minReplicas":3,"targetCPUUtilizationPercentage":80,"targetMemoryUtilizationPercentage":85}` | Ingestion autoscaling | | clustering.ingestion.enabled | bool | `true` | Enable ingestion deployment | | clustering.ingestion.env | object | `{}` | Environment variables específicas para ingestion | | clustering.ingestion.networkPolicy | object | `{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]}` | Ingestion network policy | | clustering.ingestion.podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":2}` | Ingestion pod disruption budget | | clustering.ingestion.replicaCount | int | `3` | Number of replicas for ingestion | | clustering.ingestion.resources | object | `{}` | Ingestion resources | | clustering.ingestion.service | object | `{"annotations":{},"appProtocol":"HTTP","extraPorts":[],"labels":{},"port":80,"portName":"http","protocol":"TCP","targetPort":4000,"type":"ClusterIP"}` | Ingestion service configuration (interno) | | clustering.ingestion.service.annotations | object | `{}` | Annotations for the service | | clustering.ingestion.service.appProtocol | string | `"HTTP"` | Application protocol (HTTP, HTTPS, etc.) | | clustering.ingestion.service.extraPorts | list | `[]` | Pod extra ports | | clustering.ingestion.service.labels | object | `{}` | Additional labels for the service | | clustering.ingestion.service.port | int | `80` | Kubernetes Service port | | clustering.ingestion.service.portName | string | `"http"` | Name for the service port | | clustering.ingestion.service.protocol | string | `"TCP"` | Protocol for the service port | | clustering.ingestion.service.targetPort | int | `4000` | Pod expose port | | clustering.ingestion.service.type | string | `"ClusterIP"` | Kubernetes Service type | | clustering.ingestion.tolerations | list | `[]` | Ingestion tolerations | | clustering.ingestion.topologySpreadConstraints | list | `[]` | Ingestion topology spread constraints | | command | list | `[]` | Configure command
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | | configMaps | list | `[]` | ConfigMap values to create configuration files Generate ConfigMap with following name: -
Ref: https://kubernetes.io/docs/concepts/configuration/configmap/ | | connectors | list | `[]` | Connectors
Ref: https://github.com/OpenCTI-Platform/connectors/tree/master | | connectorsGlobal | object | `{"env":{},"envFromConfigMap":{},"envFromFiles":[],"envFromSecrets":{},"volumeMounts":[],"volumes":[]}` | Connectors global configuration | | connectorsGlobal.env | object | `{}` | Additional environment variables on the output connector definition | | connectorsGlobal.envFromConfigMap | object | `{}` | Variables from configMap | | connectorsGlobal.envFromFiles | list | `[]` | Load all variables from files | | connectorsGlobal.envFromSecrets | object | `{}` | Variables from secrets | | connectorsGlobal.volumeMounts | list | `[]` | Additional volumeMounts on the output connector Deployment definition | | connectorsGlobal.volumes | list | `[]` | Additional volumes on the output connector Deployment definition | | dnsConfig | object | `{}` | Configure DNS
Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ | | dnsPolicy | string | `"ClusterFirst"` | Configure DNS policy Options: ClusterFirst, Default, ClusterFirstWithHostNet, None
Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ | | eck-stack | object | `{"eck-elasticsearch":{"enabled":true,"http":{"tls":{"selfSignedCertificate":{"disabled":true}}},"nodeSets":[{"config":{"node.roles":["master","data","ingest"],"node.store.allow_mmap":false},"count":1,"name":"default","podTemplate":{"spec":{"containers":[{"name":"elasticsearch","resources":{"limits":{"memory":"2Gi"},"requests":{"cpu":"500m","memory":"2Gi"}}}],"volumes":[{"emptyDir":{},"name":"elasticsearch-data"}]}}}]},"eck-kibana":{"enabled":false},"enabled":false}` | ECK stack subchart deployment
Ref: https://github.com/elastic/cloud-on-k8s/blob/main/deploy/eck-stack/values.yaml | | eck-stack.enabled | bool | `false` | Enable or disable ElasticSearch subchart | | env | object | `{"APP__ADMIN__EMAIL":"admin@opencti.io","APP__ADMIN__PASSWORD":"ChangeMe","APP__ADMIN__TOKEN":"ChangeMe","APP__BASE_PATH":"/","APP__GRAPHQL__PLAYGROUND__ENABLED":false,"APP__GRAPHQL__PLAYGROUND__FORCE_DISABLED_INTROSPECTION":false,"APP__HEALTH_ACCESS_KEY":"ChangeMe","APP__TELEMETRY__METRICS__ENABLED":true,"ELASTICSEARCH__URL":"http://release-name-elasticsearch:9200","MINIO__ENDPOINT":"release-name-minio:9000","NODE_OPTIONS":"--max-old-space-size=8096","PROVIDERS__LOCAL__STRATEGY":"LocalStrategy","RABBITMQ__HOSTNAME":"release-name-rabbitmq","RABBITMQ__PASSWORD":"ChangeMe","RABBITMQ__PORT":5672,"RABBITMQ__PORT_MANAGEMENT":15672,"RABBITMQ__USERNAME":"user","REDIS__HOSTNAME":"release-name-redis-master","REDIS__MODE":"single","REDIS__PORT":6379}` | Environment variables to configure application
Ref: https://docs.opencti.io/latest/deployment/configuration/#platform | | envFromConfigMap | object | `{}` | Variables from configMap | | envFromFiles | list | `[]` | Load all variables from files
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables | | envFromSecrets | object | `{}` | Variables from secrets | | fullnameOverride | string | `""` | String to fully override opencti.fullname template | | global | object | `{"imagePullSecrets":[],"imageRegistry":""}` | Global section contains configuration options that are applied to all services | | global.imagePullSecrets | list | `[]` | Specifies the secrets to use for pulling images from private registries Leave empty if no secrets are required E.g. imagePullSecrets: - name: myRegistryKeySecretName | | global.imageRegistry | string | `""` | Specifies the registry to pull images from. Leave empty for the default registry | | image | object | `{"pullPolicy":"IfNotPresent","repository":"opencti/platform","tag":""}` | Image registry configuration for the base service | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the image | | image.repository | string | `"opencti/platform"` | Repository of the image | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | imagePullSecrets | list | `[]` | Specifies the secrets to use for pulling images from private registries Leave empty if no secrets are required E.g. imagePullSecrets: - name: myRegistryKeySecretName | | ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"chart-example.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Ingress configuration to expose app
Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ | | initContainers | list | `[]` | Configure additional containers
Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ | | lifecycle | object | `{}` | Configure lifecycle hooks
Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
Ref: https://learnk8s.io/graceful-shutdown | | livenessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":180,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Configure liveness checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | | livenessProbeCustom | object | `{}` | Custom livenessProbe | | minio | object | `{"enabled":true,"mode":"standalone","persistence":{"enabled":false},"resources":{"requests":{"memory":"512Mi"}},"rootPassword":"ChangeMe","rootUser":"ChangeMe"}` | MinIO subchart deployment
Ref: https://github.com/minio/minio/blob/main/helm/minio/values.yaml | | minio.enabled | bool | `true` | Enable or disable MinIO subchart | | nameOverride | string | `""` | String to partially override opencti.fullname template (will maintain the release name) | | networkPolicy | object | `{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]}` | NetworkPolicy configuration
Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ | | networkPolicy.enabled | bool | `false` | Enable or disable NetworkPolicy | | networkPolicy.policyTypes | list | `[]` | Policy types | | nodeSelector | object | `{}` | Node labels for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | opensearch | object | `{"enabled":true,"opensearchJavaOpts":"-Xmx512M -Xms512M","persistence":{"enabled":false},"singleNode":true}` | OpenSearch subchart deployment
Ref: https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch/values.yaml | | opensearch.enabled | bool | `true` | Enable or disable OpenSearch subchart | | podAnnotations | object | `{}` | Configure annotations on Pods | | podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1}` | Pod Disruption Budget
Ref: https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/ | | podLabels | object | `{}` | Configure labels on Pods | | podSecurityContext | object | `{}` | Defines privilege and access control settings for a Pod
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | | rabbitmq | object | `{"auth":{"erlangCookie":"ChangeMe","password":"ChangeMe","username":"user"},"clustering":{"enabled":false},"enabled":true,"global":{"security":{"allowInsecureImages":true}},"image":{"repository":"bitnamilegacy/rabbitmq","tag":"4.1.2-debian-12-r1"},"persistence":{"enabled":false},"replicaCount":1}` | RabbitMQ subchart deployment
Ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml | | rabbitmq.enabled | bool | `true` | Enable or disable RabbitMQ subchart | | readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Configure readinessProbe checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | | readinessProbeCustom | object | `{}` | Custom readinessProbe | | readyChecker | object | `{"enabled":false,"pullPolicy":"IfNotPresent","repository":"busybox","retries":30,"services":[{"name":"elasticsearch","port":9200},{"name":"minio","port":9000},{"name":"rabbitmq","port":5672},{"name":"redis","port":6379}],"tag":"latest","timeout":5}` | Enable or disable ready-checker | | readyChecker.enabled | bool | `false` | Enable or disable ready-checker | | readyChecker.pullPolicy | string | `"IfNotPresent"` | Pull policy for the image | | readyChecker.repository | string | `"busybox"` | Repository of the image | | readyChecker.retries | int | `30` | Number of retries before giving up | | readyChecker.services | list | `[{"name":"elasticsearch","port":9200},{"name":"minio","port":9000},{"name":"rabbitmq","port":5672},{"name":"redis","port":6379}]` | List services | | readyChecker.tag | string | `"latest"` | Overrides the image tag | | readyChecker.timeout | int | `5` | Timeout for each check | | redis | object | `{"enabled":true,"storage":{"enabled":false}}` | Dragonfly subchart deployment (alias: Redis)
Ref: https://github.com/dragonflydb/dragonfly/blob/main/contrib/charts/dragonfly/values.yaml | | redis.enabled | bool | `true` | Enable or disable Dragonfly subchart | | replicaCount | int | `1` | Number of replicas for the service | | resources | object | `{}` | The resources limits and requested
Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | secrets | list | `[]` | Secrets values to create credentials and reference by envFromSecrets Generate Secret with following name: -
Ref: https://kubernetes.io/docs/concepts/configuration/secret/ | | securityContext | object | `{}` | Defines privilege and access control settings for a Container
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | | service | object | `{"annotations":{},"appProtocol":"HTTP","extraPorts":[],"labels":{},"loadBalancer":{},"port":80,"portName":"http","protocol":"TCP","targetPort":4000,"type":"ClusterIP"}` | Kubernetes service to expose Pod
Ref: https://kubernetes.io/docs/concepts/services-networking/service/ | | service.annotations | object | `{}` | Annotations for the service | | service.appProtocol | string | `"HTTP"` | Application protocol (HTTP, HTTPS, etc.) | | service.extraPorts | list | `[]` | Pod extra ports | | service.labels | object | `{}` | Additional labels for the service | | service.loadBalancer | object | `{}` | LoadBalancer specific configuration | | service.port | int | `80` | Kubernetes Service port | | service.portName | string | `"http"` | Name for the service port | | service.protocol | string | `"TCP"` | Protocol for the service port | | service.targetPort | int | `4000` | Pod expose port | | service.type | string | `"ClusterIP"` | Kubernetes Service type. Allowed values: NodePort, LoadBalancer, ClusterIP, ExternalName | | serviceAccount | object | `{"annotations":{},"automountServiceAccountToken":false,"create":true,"name":""}` | Enable creation of ServiceAccount | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.automountServiceAccountToken | bool | `false` | Specifies if you don't want the kubelet to automatically mount a ServiceAccount API credentials | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template | | serviceMonitor | object | `{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"}` | Enable ServiceMonitor to get metrics
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor | | serviceMonitor.enabled | bool | `false` | Enable or disable | | startupProbe | object | `{"enabled":true,"failureThreshold":30,"initialDelaySeconds":180,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Configure startupProbe checker
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes | | startupProbeCustom | object | `{}` | Custom startupProbe | | strategy | object | `{}` | Configure strategy for the deployment | | terminationGracePeriodSeconds | int | `30` | Configure Pod termination grace period
Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination | | testConnection | bool | `false` | Enable or disable test connection | | tolerations | list | `[]` | Tolerations for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | topologySpreadConstraints | list | `[]` | Control how Pods are spread across your cluster
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#example-multiple-topologyspreadconstraints | | volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition | | volumes | list | `[]` | Additional volumes on the output Deployment definition | | worker | object | `{"affinity":{},"args":[],"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"command":[],"configMaps":[],"dnsConfig":{},"dnsPolicy":"ClusterFirst","enabled":true,"env":{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true},"envFromConfigMap":{},"envFromFiles":[],"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"imagePullSecrets":[],"initContainers":[],"lifecycle":{},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"nodeSelector":{},"podAnnotations":{},"podDisruptionBudget":{"enabled":false,"maxUnavailable":1},"podLabels":{},"podSecurityContext":{},"readyChecker":{"enabled":true,"pullPolicy":"IfNotPresent","repository":"busybox","retries":30,"tag":"latest","timeout":5},"replicaCount":1,"resources":{},"secrets":[],"securityContext":{},"serviceMonitor":{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"},"strategy":{},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[],"volumeMounts":[],"volumes":[]}` | OpenCTI worker deployment configuration
Ref: https://docs.opencti.io/latest/deployment/overview/#workers | | worker.affinity | object | `{}` | Affinity for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | | worker.args | list | `[]` | Configure args
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | | worker.autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage
Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | | worker.command | list | `[]` | Configure command
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | | worker.configMaps | list | `[]` | ConfigMap values to create configuration files Generate ConfigMap with following name: -
Ref: https://kubernetes.io/docs/concepts/configuration/configmap/ | | worker.dnsConfig | object | `{}` | Configure DNS
Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ | | worker.dnsPolicy | string | `"ClusterFirst"` | Configure DNS policy Options: ClusterFirst, Default, ClusterFirstWithHostNet, None
Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ | | worker.enabled | bool | `true` | Enable or disable worker | | worker.env | object | `{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true}` | Environment variables to configure application
Ref: https://docs.opencti.io/latest/deployment/configuration/#platform | | worker.envFromConfigMap | object | `{}` | Variables from configMap | | worker.envFromFiles | list | `[]` | Load all variables from files
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables | | worker.envFromSecrets | object | `{}` | Variables from secrets | | worker.image | object | `{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""}` | Image registry configuration for the base service | | worker.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the image | | worker.image.repository | string | `"opencti/worker"` | Repository of the image | | worker.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion | | worker.imagePullSecrets | list | `[]` | Specifies the secrets to use for pulling images from private registries Leave empty if no secrets are required E.g. imagePullSecrets: - name: myRegistryKeySecretName | | worker.initContainers | list | `[]` | Configure additional containers
Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ | | worker.lifecycle | object | `{}` | Configure lifecycle hooks
Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
Ref: https://learnk8s.io/graceful-shutdown | | worker.networkPolicy | object | `{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]}` | NetworkPolicy configuration
Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ | | worker.networkPolicy.enabled | bool | `false` | Enable or disable NetworkPolicy | | worker.networkPolicy.policyTypes | list | `[]` | Policy types | | worker.nodeSelector | object | `{}` | Node labels for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | worker.podAnnotations | object | `{}` | Configure annotations on Pods | | worker.podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1}` | Pod Disruption Budget
Ref: https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/ | | worker.podLabels | object | `{}` | Configure labels on Pods | | worker.podSecurityContext | object | `{}` | Defines privilege and access control settings for a Pod
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | | worker.readyChecker | object | `{"enabled":true,"pullPolicy":"IfNotPresent","repository":"busybox","retries":30,"tag":"latest","timeout":5}` | Enable or disable ready-checker waiting server is ready | | worker.readyChecker.enabled | bool | `true` | Enable or disable ready-checker | | worker.readyChecker.pullPolicy | string | `"IfNotPresent"` | Pull policy for the image | | worker.readyChecker.repository | string | `"busybox"` | Repository of the image | | worker.readyChecker.retries | int | `30` | Number of retries before giving up | | worker.readyChecker.tag | string | `"latest"` | Overrides the image tag | | worker.readyChecker.timeout | int | `5` | Timeout for each check | | worker.replicaCount | int | `1` | Number of replicas for the service | | worker.resources | object | `{}` | The resources limits and requested
Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | worker.secrets | list | `[]` | Secrets values to create credentials and reference by envFromSecrets Generate Secret with following name: -
Ref: https://kubernetes.io/docs/concepts/configuration/secret/ | | worker.securityContext | object | `{}` | Defines privilege and access control settings for a Container
Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | | worker.serviceMonitor | object | `{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"}` | Enable ServiceMonitor to get metrics
Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor | | worker.serviceMonitor.enabled | bool | `false` | Enable or disable | | worker.strategy | object | `{}` | Configure strategy for the deployment | | worker.terminationGracePeriodSeconds | int | `30` | Configure Pod termination grace period
Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination | | worker.tolerations | list | `[]` | Tolerations for pod assignment
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | worker.topologySpreadConstraints | list | `[]` | Control how Pods are spread across your cluster
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#example-multiple-topologyspreadconstraints | | worker.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition | | worker.volumes | list | `[]` | Additional volumes on the output Deployment definition |