Helm chart reference

[ialejandro]

Use case

Update Helm chart reference on docs or create repo on OpenCTI-Platform org.

Current Workaround

N/A

Proposed Solution

I develop a new chart with best practices of Helm: https://github.com/devops-ia/helm-charts/tree/main/charts/opencti

Additional Information

You can use or fork it if you want. I recommend create a repo on OpenCTI-Platform org. Is very simple update the chart and maintain it.

If the feature request is approved, would you be willing to submit a PR?

Yes

[sbocahu]

related to #2422

[sbocahu]

@ialejandro Thanks for your contribution :)

OpenCTI officially uses ElasticSearch, not OpenSearch. Although both might work well with OpenCTI, I think it would be better to use Elastic as a dependency, or to provide the choice between the two and mention it.

Documentation on how to use the chart will be great too. IIUC values need to be provided - the default values are not sufficient to blindly deploy OpenCTI using this chart.
I agree with the recommendation to create a OpenCTI-platform org repo to host the chart, however I believe the chart should come with sane defaults to start deploying a no-brainer test instance if we officially support helm as a deployment method.

Would you be willing to contribute to such changes & to documentation on docs.opencti.io ( PRs can be provided to https://github.com/OpenCTI-Platform/docs ) ?

What are the intended uses of role/rolebinding ?

[ialejandro]

@sbocahu hi! sorry about #2422, i didnt find it. If I had known I would write there.

Yes, I agree. Currently, we have OpenCTI running over OpenSearch 2.12.X. I didn't use Elasticsearch because of licensing issues (https://www.elastic.co/blog/licensing-change). Also, they have changed the Elasticsearch chart is deprecated (https://github.com/elastic/helm-charts) and they use an operator (https://github.com/elastic/cloud-on-k8s). BTW, we can consider the Bitnami option as I did Minio and RabbitMQ dependencies.

I have to add more documentation on how to work with the Helm chart and, that with the defaults values, start the service properly. I'll work in this point.

Yes, I would like to be able to help the project by contributing to the documentation without any problem.

About the roles, I am doing some tests to see the stability of the OpenCTI service or I will need to create a cronjob to restart some connector every X time. Surely if it is stable, I will remove them manifests from the repository.

I have opened the ticket just to get your opinion and see if there is a possibility to help you to develop an updated, scalable and clean Helm chart.

[bpereto]

Hi,

Cool chart - it helped a lot for a deployment on k8s.

As you stated, there are some default values missing and for the completeness, I will add them here.

env:
  APP__BASE_URL: "https://opencti.app"
  ELASTICSEARCH__URL: "http://opensearch-cluster-master:9200"
  MINIO__ENDPOINT: "opencti-minio"
  RABBITMQ__HOSTNAME: "opencti-rabbitmq"
  RABBITMQ__USERNAME: "user"
  REDIS__HOSTNAME: "opencti-redis-master"

envFromSecrets:
  MINIO__ACCESS_KEY:
    name: opencti-minio
    key: root-user
  MINIO__SECRET_KEY:
    name: opencti-minio
    key: root-password
  RABBITMQ__PASSWORD:
    name: opencti-rabbitmq
    key: rabbitmq-password
  REDIS__PASSWORD:
    name: opencti-redis
    key: redis-password
  APP__ADMIN__PASSWORD:
    name: opencti
    key: admin-password
  APP__ADMIN__TOKEN:
    name: opencti
    key: admin-token
  APP__ADMIN__TOKEN:
    name: opencti
    key: admin-token

worker:
  env:
    WORKER_LOG_LEVEL: INFO
  envFromSecrets:
    OPENCTI_TOKEN:
      name: opencti
      key: admin-token

opensearch:
  enabled: true
  singleNode: true
  extraEnvs:
    - name: "node.store.allow_mmap"
      value: "false"
  config:
    opensearch.yml: |
      cluster.name: opensearch-cluster
      network.host: 0.0.0.0
      discovery:
        type: "single-node"
      plugins:
        security:
          disabled: true

minio:
  enabled: true
rabbitmq:
  enabled: true
redis:
  enabled: true

• create secret:

kubectl -n opencti create secret generic opencti --from-literal=admin-token=$(uuidgen) --from-literal=admin-password='xxx'

with this, you get a running opencti with this chart. If the project would upstream this, it would make alot deployments easier.

[ialejandro]

@bpereto thanks a lot. I'll add Elasticsearch option and document all options. I need some time to complete it and pass linters (https://github.com/devops-ia/helm-charts/actions?page=4&query=opencti), but I'll write here with new news.

[ialejandro]

@sbocahu I updated and pass (finally!!) the properly environment and configs with subcharts. Here is https://github.com/devops-ia/helm-charts/tree/main/charts/opencti and some docs:

• Basic installation
• Examples

What do you think about it? It as a good idea creating a new repository in your organization to push changes? I open to change that you want.

@bpereto maybe insterest you too!