From 804d7901b1f8d98fd46f65a9c5cdaa545cc1f3a9 Mon Sep 17 00:00:00 2001 From: Dan Date: Sat, 11 Jan 2025 11:39:10 +0000 Subject: [PATCH 1/5] Adds Helm chart and Google Cloud Infra instructions --- cloud/README.md | 124 ++++++ cloud/main.tf | 396 ++++++++++++++++++ cloud/output.tf | 85 ++++ cloud/variables.tf | 54 +++ helm/Chart.yaml | 21 + helm/README.md | 366 ++++++++++++++++ helm/config.sh | 136 ++++++ helm/filestore/pvc-filestore.yaml | 12 + helm/filestore/sc-ms-512.yaml | 13 + helm/settings_template.toml | 68 +++ helm/templates/_helpers.tpl | 62 +++ helm/templates/deployment/dpl-mediator.yaml | 97 +++++ helm/templates/deployment/dpl-postgres.yaml | 39 ++ helm/templates/deployment/dpl-redis.yaml | 28 ++ helm/templates/deployment/dpl-server.yaml | 107 +++++ helm/templates/deployment/dpl-ui.yaml | 37 ++ .../dpl-worker-analyzer-config.yaml | 62 +++ .../deployment/dpl-worker-extraction.yaml | 64 +++ .../deployment/dpl-worker-hayabusa.yaml | 62 +++ .../deployment/dpl-worker-plaso.yaml | 66 +++ .../deployment/dpl-worker-strings.yaml | 66 +++ helm/templates/gateway/gw-openrelik.yaml | 20 + helm/templates/gateway/hc-server.yaml | 23 + helm/templates/gateway/hc-ui.yaml | 23 + helm/templates/gateway/rte-server.yaml | 17 + helm/templates/gateway/rte-ui.yaml | 17 + helm/templates/namespace/ns-openrelik.yaml | 9 + helm/templates/secret/sec-openrelik-db.yaml | 13 + helm/templates/service/svc-postgres.yaml | 14 + helm/templates/service/svc-redis.yaml | 14 + helm/templates/service/svc-server.yaml | 12 + helm/templates/service/svc-ui.yaml | 12 + .../serviceaccount/sa-openrelik.yaml | 5 + helm/templates/volume/pvc-local.yaml | 13 + helm/templates/volume/pvc-postgres.yaml | 13 + helm/values-gcp.yaml | 137 ++++++ helm/values.yaml | 137 ++++++ 37 files changed, 2444 insertions(+) create mode 100644 cloud/README.md create mode 100644 cloud/main.tf create mode 100644 cloud/output.tf create mode 100644 cloud/variables.tf create mode 100644 helm/Chart.yaml create mode 100644 helm/README.md create mode 100755 helm/config.sh create mode 100644 helm/filestore/pvc-filestore.yaml create mode 100644 helm/filestore/sc-ms-512.yaml create mode 100644 helm/settings_template.toml create mode 100644 helm/templates/_helpers.tpl create mode 100644 helm/templates/deployment/dpl-mediator.yaml create mode 100644 helm/templates/deployment/dpl-postgres.yaml create mode 100644 helm/templates/deployment/dpl-redis.yaml create mode 100644 helm/templates/deployment/dpl-server.yaml create mode 100644 helm/templates/deployment/dpl-ui.yaml create mode 100644 helm/templates/deployment/dpl-worker-analyzer-config.yaml create mode 100644 helm/templates/deployment/dpl-worker-extraction.yaml create mode 100644 helm/templates/deployment/dpl-worker-hayabusa.yaml create mode 100644 helm/templates/deployment/dpl-worker-plaso.yaml create mode 100644 helm/templates/deployment/dpl-worker-strings.yaml create mode 100644 helm/templates/gateway/gw-openrelik.yaml create mode 100644 helm/templates/gateway/hc-server.yaml create mode 100644 helm/templates/gateway/hc-ui.yaml create mode 100644 helm/templates/gateway/rte-server.yaml create mode 100644 helm/templates/gateway/rte-ui.yaml create mode 100644 helm/templates/namespace/ns-openrelik.yaml create mode 100644 helm/templates/secret/sec-openrelik-db.yaml create mode 100644 helm/templates/service/svc-postgres.yaml create mode 100644 helm/templates/service/svc-redis.yaml create mode 100644 helm/templates/service/svc-server.yaml create mode 100644 helm/templates/service/svc-ui.yaml create mode 100644 helm/templates/serviceaccount/sa-openrelik.yaml create mode 100644 helm/templates/volume/pvc-local.yaml create mode 100644 helm/templates/volume/pvc-postgres.yaml create mode 100644 helm/values-gcp.yaml create mode 100644 helm/values.yaml diff --git a/cloud/README.md b/cloud/README.md new file mode 100644 index 0000000..3b8675b --- /dev/null +++ b/cloud/README.md @@ -0,0 +1,124 @@ +# Provision Google Cloud Environment for OpenRelik + +## Introduction + +This repository hosts the code and configuration for provisioning a Google Cloud environment for OpenRelik deployments. + +## 1. Preliminary Setup Instructions + +We recommend that you create a new Google Cloud Project to run this demo. +Like this you can get the following benefits: + +- enjoy a controled setup that provides the best chances for a successful demo, and +- discard all resources at the end to avoid any further charges. + +Your Google Cloud Project will need to have billing enabled. + +### 1.1. Initialize ```gcloud``` + +```console +export PROJECT_ID=[YOUR_PROJECT_ID_HERE] +gcloud config set project $PROJECT_ID +``` + +### 1.2. Enable the required Google Cloud APIs + +As the first step we want to enable the necessary Google Cloud APIs. +The Terraform script will also do the same but enabling them early will give us the best chance to find them enabled when we execute the Terraform code. + +```console +gcloud services enable artifactregistry.googleapis.com \ + certificatemanager.googleapis.com \ + cloudresourcemanager.googleapis.com \ + container.googleapis.com \ + file.googleapis.com \ + monitoring.googleapis.com \ + networksecurity.googleapis.com \ + redis.googleapis.com \ + secretmanager.googleapis.com \ + servicenetworking.googleapis.com \ + serviceusage.googleapis.com \ + sqladmin.googleapis.com \ + storage.googleapis.com +``` + +### 1.3. Remove the default VPC network + +We also recommend that you remove the ```default``` VPC network. + +```console +gcloud compute firewall-rules delete default-allow-icmp default-allow-internal default-allow-rdp default-allow-ssh +gcloud compute networks delete default +``` + +## 2. Installation Instructions + +We assume that you have already cloned this repository to your machine. +If not then go ahead and issue the `git clone` command below: + +```console +git clone https://github.com/openrelik/openrelik-deploy.git +cd openrelik-deploy +export REPO=$(pwd) + +cd cloud +``` + +We are good to go now! + +### 2.1. Setup the Platform Infrasturcture + +```console +terraform init +terraform plan -var "project_id=$PROJECT_ID" +terraform apply -var "project_id=$PROJECT_ID" +``` + +### 2.2. Capture Environment Variables for later use + +```console +export ARTIFACT_REGISTRY=$(terraform output -json | jq -r .artifact_registry_id.value) +export CERTIFICATE_NAME=$(terraform output -json | jq -r .certname.value) +export DB_SECRET_NAME=$(terraform output -json | jq -r .db_secret_name.value) +export DB_SECRET_VERSION=$(terraform output -json | jq -r .db_secret_version.value) +export GKE_CLUSTER_LOCATION=$(terraform output -json | jq -r .gke_cluster_location.value) +export GKE_CLUSTER_NAME=$(terraform output -json | jq -r .gke_cluster_name.value) +export PROJECT=$(terraform output -json | jq -r .project_id.value) +export OPENRELIK_DB=$(terraform output -json | jq -r .openrelik_db.value) +export OPENRELIK_DB_INSTANCE=$(terraform output -json | jq -r .openrelik_db_instance.value) +export OPENRELIK_DB_USER=$(terraform output -json | jq -r .openrelik_db_user.value) +export OPENRELIK_DB_ADDRESS=$(gcloud sql instances describe ${OPENRELIK_DB_INSTANCE} --project=${PROJECT} --format=json | jq -r .settings.ipConfiguration.pscConfig.pscAutoConnections[0].ipAddress) +export OPENRELIK_HOSTNAME=$(terraform output -json | jq -r .hostname.value) +export REDIS_ADDRESS=$(terraform output -json | jq -r .redis_address.value) +export REGION=$(terraform output -json | jq -r .region.value) +export ZONE=$(terraform output -json | jq -r .zone.value) + +export ENABLE_GCP=true +``` + +## 3. Installing OpenRelik on GKE + +You can continue with the instructions for [installing OpenRelik on GKE](../chart/README.md#22-installing-openrelik-on-gke). + +## 4. Cleaning up + +We recommend that you clean up the installation after you are done with your testing to avoid any future charges. + +You can delete the entire Google Cloud Project (and all resources contained in it) by going to the [Resource Manager](https://console.cloud.google.com/cloud-resource-manager), select your Project and delete it (you will need to confirm your action by copying the Project ID). +You can find more info in the [online documentation](https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects). + +## License + +Copyright © 2025 OpenRelik + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/cloud/main.tf b/cloud/main.tf new file mode 100644 index 0000000..67f45a9 --- /dev/null +++ b/cloud/main.tf @@ -0,0 +1,396 @@ +/** + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +locals { + hostname = "${replace(google_compute_global_address.external_address.address, ".", "-")}.nip.io" + subdomains = ["openrelik.${local.hostname}"] + certname = "cert-${replace(google_compute_global_address.external_address.address, ".", "")}" + domains = concat([local.hostname], local.subdomains) +} + +data "google_project" "project" { +} + +########################################################################## +# Enable the required Cloud APIs +########################################################################## +resource "google_project_service" "artifactregistry" { + project = var.project_id + service = "artifactregistry.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "certificatemanager" { + project = var.project_id + service = "certificatemanager.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "cloudbuild" { + project = var.project_id + service = "cloudbuild.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "cloudresourcemanager" { + project = var.project_id + service = "cloudresourcemanager.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "compute" { + project = var.project_id + service = "compute.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "monitoring" { + project = var.project_id + service = "monitoring.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "networksecurity" { + project = var.project_id + service = "networksecurity.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "redis" { + project = var.project_id + service = "redis.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "secretmanager" { + project = var.project_id + service = "secretmanager.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "servicenetworking" { + project = var.project_id + service = "servicenetworking.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "serviceusage" { + project = var.project_id + service = "serviceusage.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "sqladmin" { + project = var.project_id + service = "sqladmin.googleapis.com" + + disable_dependent_services = true +} + +resource "google_project_service" "storage" { + project = var.project_id + service = "storage.googleapis.com" + + disable_dependent_services = true +} + +########################################################################## +# Create the external L7 load balancer IP address +########################################################################## +resource "google_compute_global_address" "external_address" { + name = var.address_name + project = var.project_id + address_type = "EXTERNAL" +} + +########################################################################## +# Create the L7 load balancer certificate +########################################################################## +resource "google_compute_managed_ssl_certificate" "openrelik_cert" { + project = var.project_id + name = local.certname + managed { + domains = local.domains + } +} + +########################################################################## +# Set up the VPC and subnet +########################################################################## +resource "google_compute_network" "vpc" { + name = "gke-vpc" + auto_create_subnetworks = "false" +} + +resource "google_compute_subnetwork" "subnet" { + name = "gke-subnet" + ip_cidr_range = "10.0.0.0/16" + region = var.region + network = google_compute_network.vpc.id + secondary_ip_range { + range_name = "services-range" + ip_cidr_range = "10.1.0.0/16" + } + secondary_ip_range { + range_name = "pod-range" + ip_cidr_range = "10.2.0.0/16" + } +} + +# allow access from health check ranges +resource "google_compute_firewall" "allow_l7_xlb_fw_hc" { + name = "allow-l7-xlb-fw-hc" + direction = "INGRESS" + network = google_compute_network.vpc.id + source_ranges = ["130.211.0.0/22", "35.191.0.0/16"] + allow { + protocol = "tcp" + } + target_tags = ["allow-health-check"] +} + +# allow ssh ingress from iap +resource "google_compute_firewall" "allow_ssh_ingress_from_iap" { + name = "allow-ssh-ingress-from-iap" + direction = "INGRESS" + network = google_compute_network.vpc.id + source_ranges = ["35.235.240.0/20"] + allow { + protocol = "tcp" + ports = ["22"] + } +} + +########################################################################## +# Set up the Artifact Registry +########################################################################## +resource "google_artifact_registry_repository" "artifact_registry" { + location = var.region + repository_id = "artifact-registry" + description = "docker repository" + format = "DOCKER" +} + +resource "google_artifact_registry_repository_iam_member" "openrelik_artifact_writer" { + location = google_artifact_registry_repository.artifact_registry.location + repository = google_artifact_registry_repository.artifact_registry.name + role = "roles/artifactregistry.writer" + member = "principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${var.project_id}.svc.id.goog/subject/ns/openrelik/sa/openrelik-sa" + depends_on = [ + google_container_cluster.openrelik_cluster + ] +} + +########################################################################## +# Set up the GKE cluster +########################################################################## +data "google_container_engine_versions" "gke_version" { + location = var.region + version_prefix = "1.30." +} + +resource "google_container_cluster" "openrelik_cluster" { + name = "openrelik-cluster" + location = var.zone + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + + network = google_compute_network.vpc.id + subnetwork = google_compute_subnetwork.subnet.id + + ip_allocation_policy { + cluster_secondary_range_name = "pod-range" + services_secondary_range_name = google_compute_subnetwork.subnet.secondary_ip_range.0.range_name + } + + workload_identity_config { + workload_pool = "${var.project_id}.svc.id.goog" + } + + datapath_provider = "ADVANCED_DATAPATH" + + gateway_api_config { + channel = "CHANNEL_STANDARD" + } + + monitoring_config { + managed_prometheus { + enabled = true + } + + advanced_datapath_observability_config { + enable_metrics = true + enable_relay = true + } + } + addons_config { + gcp_filestore_csi_driver_config { + enabled = true + } + gcs_fuse_csi_driver_config { + enabled = true + } + } + secret_manager_config { + enabled = true + } +} + +# Node Pool for OpenRelik nodes +resource "google_container_node_pool" "openrelik_node_pool" { + name = "openrelik-node-pool" + location = var.zone + cluster = google_container_cluster.openrelik_cluster.name + + version = data.google_container_engine_versions.gke_version.release_channel_default_version["REGULAR"] + node_count = var.openrelik_pool_num_nodes + + node_config { + oauth_scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + ] + + labels = { + env = var.project_id + nodepool = var.nodepool + } + + # preemptible = true + machine_type = var.nodepool_machine_type + tags = ["openrelik-pool-node", "allow-health-check"] + metadata = { + disable-legacy-endpoints = "true" + } + } +} + +########################################################################## +# Set up the Cloud SQL Postres instance +########################################################################## +resource "google_network_connectivity_service_connection_policy" "postgres" { + name = "postgress" + location = var.region + service_class = "google-cloud-sql" + network = google_compute_network.vpc.id + psc_config { + subnetworks = [google_compute_subnetwork.subnet.id] + limit = 2 + } +} + +resource "google_sql_database_instance" "openrelik_postgres" { + name = "openrelik-postgres" + region = var.region + database_version = "POSTGRES_17" + + settings { + edition = "ENTERPRISE" + tier = var.db_tier + ip_configuration { + ipv4_enabled = false + psc_config { + psc_enabled = true + allowed_consumer_projects = [var.project_id] + psc_auto_connections { + consumer_network = google_compute_network.vpc.id + consumer_service_project_id = var.project_id + } + } + } + } + deletion_protection = false + depends_on = [google_network_connectivity_service_connection_policy.postgres] +} + +resource "google_sql_database" "openrelik" { + name = "openrelik" + instance = google_sql_database_instance.openrelik_postgres.name + deletion_policy = "DELETE" +} + +resource "random_password" "openrelik" { + length = 16 + special = false +} + +resource "google_sql_user" "openrelik" { + name = "openrelik" + instance = google_sql_database_instance.openrelik_postgres.name + password = random_password.openrelik.result +} + +resource "google_secret_manager_secret" "openrelik" { + secret_id = "openrelik" + labels = { + label = "openrelik-db" + } + replication { + user_managed { + replicas { + location = "europe-west1" + } + } + } +} + +resource "google_secret_manager_secret_version" "openrelik" { + secret = google_secret_manager_secret.openrelik.id + secret_data = random_password.openrelik.result +} + +resource "google_secret_manager_secret_iam_member" "openrelik_secret_accessor" { + secret_id = google_secret_manager_secret.openrelik.secret_id + role = "roles/secretmanager.secretAccessor" + member = "principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${var.project_id}.svc.id.goog/subject/ns/openrelik/sa/openrelik-sa" + depends_on = [ + google_container_cluster.openrelik_cluster + ] +} + +########################################################################## +# Set up the Redis instance +########################################################################## +resource "google_redis_instance" "redis" { + name = "redis" + tier = "BASIC" + region = var.region + memory_size_gb = 1 + + authorized_network = google_compute_network.vpc.id + connect_mode = "DIRECT_PEERING" + + display_name = "OpenRelik Redis Instance" + + lifecycle { + prevent_destroy = false + } +} diff --git a/cloud/output.tf b/cloud/output.tf new file mode 100644 index 0000000..f89597e --- /dev/null +++ b/cloud/output.tf @@ -0,0 +1,85 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "artifact_registry_id" { + description = "The Artifact Registry ID" + value = google_artifact_registry_repository.artifact_registry.repository_id +} + +output "gke_cluster_location" { + description = "The location of the GKE cluster" + value = google_container_cluster.openrelik_cluster.location +} + +output "gke_cluster_name" { + description = "The name of the GKE cluster" + value = google_container_cluster.openrelik_cluster.name +} + +output "openrelik_db" { + description = "The name of the OpenRelik Postgres DB." + value = google_sql_database.openrelik.name +} + +output "openrelik_db_instance" { + description = "The name of the OpenRelik Postgres instance." + value = google_sql_database_instance.openrelik_postgres.name +} + +output "openrelik_db_user" { + description = "The user name of the OpenRelik Postgres DB." + value = google_sql_user.openrelik.name +} + +output "project_id" { + description = "The Project ID" + value = var.project_id +} + +output "redis_address" { + description = "The IP address of the Redis memory store." + value = google_redis_instance.redis.host +} + +output "region" { + description = "The Region" + value = var.region +} + +output "zone" { + description = "The Zone" + value = var.zone +} + +output "hostname" { + description = "The Openrelik frontend external hostname" + value = local.hostname +} + +output "db_secret_name" { + description = "The Openrelik DB secret name" + value = google_secret_manager_secret.openrelik.secret_id +} + +output "db_secret_version" { + description = "The Openrelik DB secret version" + value = google_secret_manager_secret_version.openrelik.version +} + +output "certname" { + description = "The Openrelik frontend certficate name" + value = local.certname +} diff --git a/cloud/variables.tf b/cloud/variables.tf new file mode 100644 index 0000000..6ab5663 --- /dev/null +++ b/cloud/variables.tf @@ -0,0 +1,54 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "Google Cloud Project Identifier" +} + +variable "region" { + description = "region" + default = "europe-west1" +} + +variable "zone" { + description = "zone" + default = "europe-west1-b" +} + +variable "openrelik_pool_num_nodes" { + description = "number of OpenRelik nodes" + default = 3 +} + +variable "nodepool" { + description = "OpenReliki nodepool" + default = "openrelik" +} + +variable "nodepool_machine_type" { + description = "OpenRelik nodepool machine type" + default = "n2-standard-4" +} + +variable "db_tier" { + description = "tier for the the Cloud SQL DB" + default = "db-f1-micro" +} + +variable "address_name" { + description = "name for the OpenRelik public IP address" + default = "openrelik-frontend" +} diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..efc745d --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: openrelik +version: 1.0.0 +description: A Helm chart for Openrelik Kubernetes deployments. +keywords: +- openrelik +- dfir +- analysis +- forensics +home: "https://openrelik.org/" +maintainers: + - name: Open Source DFIR + url: https://github.com/openrelik/openrelik-deploy +sources: +- https://github.com/openrelik +- https://github.com/google/osdfir-infrastructure +icon: https://openrelik.org/favicon.ico +appVersion: "latest" +annotations: + category: Security + licenses: Apache-2.0 diff --git a/helm/README.md b/helm/README.md new file mode 100644 index 0000000..6979335 --- /dev/null +++ b/helm/README.md @@ -0,0 +1,366 @@ +# OpenRelik Helm Chart + +[OpenRelik](https://openrelik.org) OpenRelik is an open-source (Apache-2.0) platform designed to streamline collaborative digital forensic investigations. + +[Overview of OpenRelik](https://openrelik.org/docs/) + +[Chart Source Code](https://github.com/openrelik) + +Before we get started make sure you clone the repo onto your machine. + +```console +git clone https://github.com/openrelik/openrelik-deploy.git +cd openrelik-deploy +export REPO=$(pwd) +``` + +## TL;DR + +> **Tip**: To quickly get started with a local cluster, see [minikube install docs](https://minikube.sigs.k8s.io/docs/start/). + +```console +# Start minikube +minikube start +minikube tunnel & + +# Create the configuration files +cd chart +./config.sh local + +# Change back to the REPO directory +cd $REPO + +# Install the OpenRelik Helm chart +helm install openrelik-on-k8s ./chart -f ./chart/values.yaml +``` + +> **Note**: For a more real life scenario see [Installing on Cloud](#2-installing-openrelik-on-cloud) for deploying OpenRelik on [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine) (GKE). + +## Introduction + +This chart bootstraps a [OpenRelik](https://github.com/openrelik) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- [minikube](https://minikube.sigs.k8s.io/docs/start/) v1.32.0+ +- [Docker](https://docs.docker.com/engine/install/) 25.0.3+ +- [Kubernetes](https://kubernetes.io/) 1.27.8+ +- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl) v1.29.2+ +- [Helm](https://helm.sh/docs/intro/install/) 3.14.1+ + +## 1. Installing OpenRelik on minikube + +Let's start ```minikube``` and set up tunneling for later interactions. +The [minikube tunnel](https://minikube.sigs.k8s.io/docs/commands/tunnel/) feature creates a network route on the host to Kubernetes services using the cluster’s IP address as a gateway. +The tunnel command exposes the IP address to any program running on the host operating system. + +```console +minikube start +minikube tunnel & +``` + +### 1.1. Creating the configuration + +```console +# Create the configuration files +cd chart +./config.sh local + +# Change back to the REPO directory +cd $REPO +``` + +### 1.2. Installing the Chart + +To install the chart, specify any release name of your choice. For example, using `openrelik-on-k8s' as the release name, run: + +```console +# Install the OpenRelik Helm chart +helm install openrelik-on-k8s ./chart -f ./chart/values.yaml + +# Verify that all the OpenRelik component pods are in 'Running' state (this might take a moment) +kubectl get pods -n openrelik +# The output should look similar to the below: +# NAME READY STATUS RESTARTS AGE +# openrelik-mediator-7c58c4d667-j8l9t 1/1 Running 0 8s +# openrelik-postgres-589c44cd5f-ggk6p 1/1 Running 0 8s +# openrelik-redis-66d8946695-4jv6j 1/1 Running 0 8s +# openrelik-server-5864d95fc7-cdw7x 1/1 Running 0 8s +# openrelik-ui-d5c646bc7-xnwgx 1/1 Running 0 8s +# openrelik-worker-analyzer-config-58b4ddd59f-4pfjd 1/1 Running 0 8s +# openrelik-worker-extraction-68f94856f6-kpksl 1/1 Running 0 8s +# openrelik-worker-hayabusa-676bb647dc-6wck5 1/1 Running 0 8s +# openrelik-worker-plaso-55f97c9555-j9skb 1/1 Running 0 8s +# openrelik-worker-strings-7db674c997-z4n66 1/1 Running 0 8s +``` + +The command deploys OpenRelik on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +### 1.3. Initialise the Openrelik DB + +```console +export SERVER_POD=$(kubectl get pod -l app=server -n openrelik -o jsonpath="{.items[0].metadata.name}") +kubectl exec -it ${SERVER_POD} -n openrelik -c openrelik-server -- \ + bash -c 'cd /app/openrelik/datastores/sql && \ + export SQLALCHEMY_DATABASE_URL=$(grep database_url /var/config/settings.toml | sed "s/database_url = //" | sed "s/\"//g") && \ + alembic upgrade head' +``` + +### 1.4. Create the ```admin``` user + +```console +export SERVER_POD=$(kubectl get pod -l app=server -n openrelik -o jsonpath="{.items[0].metadata.name}") +export USER_PWD="" +kubectl exec -it ${SERVER_POD} -n openrelik -c openrelik-server -- \ + bash -c "python admin.py create-user admin --password ${USER_PWD} --admin" +``` + +### 1.5. Connect to the OpenRelik Frontend + +You can now point your browser to the OpenRelik Frontend. + +```console +export UI_IP=$(kubectl get svc svc-ui -n openrelik --output jsonpath='{.spec.clusterIP}') +export SERVER_IP=$(kubectl get svc svc-server -n openrelik --output jsonpath='{.spec.clusterIP}') + +# Create an SSH port forward tunnel for both the UI and API server ports +echo "ssh -L 8711:$UI_IP:8711 -L 8710:$SERVER_IP:8710 minikube" + +# Point your browser at the OpenRelik UI +echo "http://localhost:8711" +``` + +## 2. Installing OpenRelik on Cloud + +After installing OpenRelik on minikube and kicking the tires you likely aim for running OpenRelik in a more real life scenario. +For this you could consider installing OpenRelik on a managed Kubernetes cluster in the cloud like on [Google Cloud's Kubernetes Engine](https://cloud.google.com/kubernetes-engine) (GKE). + +### 2.1. GKE Installation + +Before we can install OpenRelik we need to provision a GKE cluster and its related infrastructure. +The quickest way to provision a ready to run environment on Google Cloud is by following the steps in these [installation instructions](../cloud/README.md). + +We recommend that you start with cloning this repo again to avoid carrying over any configurations from the minikube based instructions above. + +```console +git clone https://github.com/google/openrelik-deploy.git +cd openrelik-deploy +export REPO=$(pwd) +``` + +Once you have provisioned your infrastructure you can continue with the instructions below. + +### 2.2. Installing OpenRelik on GKE + +In case you followed the Google Cloud environment installation instructions you should already have the following environment variables configured. +Otherwise, either run the [installation instruction step](../cloud/README.md#22-capture-environment-variables-for-later-use) again or set the environment variables to values that match your setup. +You can check that they have a value assigned by running the commands below. + +```console +echo "ARTIFACT_REGISTRY: $ARTIFACT_REGISTRY" +echo "CERTIFICATE_NAME: $CERTIFICATE_NAME" +echo "DB_SECRET_NAME: $DB_SECRET_NAME" +echo "DB_SECRET_VERSION: $DB_SECRET_VERSION" +echo "ENABLE_GCP: $ENABLE_GCP" +echo "GKE_CLUSTER_LOCATION: $GKE_CLUSTER_LOCATION" +echo "GKE_CLUSTER_NAME: $GKE_CLUSTER_NAME" +echo "PROJECT: $PROJECT" +echo "OPENRELIK_DB: $OPENRELIK_DB" +echo "OPENRELIK_DB_INSTANCE: $OPENRELIK_DB_INSTANCE" +echo "OPENRELIK_DB_USER: $OPENRELIK_DB_USER" +echo "OPENRELIK_DB_ADDRESS: $OPENRELIK_DB_ADDRESS" +echo "OPENRELIK_HOSTNAME: $OPENRELIK_HOSTNAME" +echo "REDIS_ADDRESS: $REDIS_ADDRESS" +echo "REGION: $REGION" +echo "ZONE: $ZONE" +``` + +#### 2.2.1. Fetch the GKE cluster credentials + +```console +gcloud container clusters get-credentials $GKE_CLUSTER_NAME --zone $GKE_CLUSTER_LOCATION --project $PROJECT_ID +``` + +#### 2.2.2. Set the default values for the OpenRelik Helm chart + +```console +cd $REPO/chart +./config.sh cloud + +# Change back to the REPO directory +cd $REPO +``` + +#### 2.2.3. Create the Filestore share + +> **Tip**: For more details see [Filestore Multishares](https://cloud.google.com/filestore/docs/optimize-multishares) + +```console +kubectl apply -f chart/templates/namespace/ns-openrelik.yaml + +kubectl apply -f chart/filestore/sc-ms-512.yaml + +kubectl apply -f chart/filestore/pvc-filestore.yaml + +# Make sure you let the Filestore creation process finish before continuing. +watch -n 1 kubectl get pvc -n openrelik + +# You should see a message like the one below once the Filestore has been created: +# NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE +# pvc-filestore Bound pvc-2404aa93-...-f18e560b9534 512Gi RWX sc-ms-512 1m +``` + +#### 2.2.4. Install the Helm chart + +```console +helm install openrelik-on-k8s ./chart -f ./chart/values-gcp.yaml +``` + +#### 2.2.5. Wait for all OpenRelik pods to be in 'Running' status + +```console +# Check that all the pods are in the 'Running' status. +kubectl get pods -n openrelik +# The output should look something like the below: +# NAME READY STATUS RESTARTS AGE +# openrelik-mediator-75b4659b97-znvhb 1/1 Running 0 34s +# openrelik-server-5957548585-zzhpj 1/1 Running 0 34s +# openrelik-ui-6597bc774d-nnjln 1/1 Running 0 34s +# openrelik-worker-analyzer-config-78f84979ff-9v5fp 1/1 Running 0 34s +# openrelik-worker-extraction-6dc457bc6-6kjjl 1/1 Running 0 34s +# openrelik-worker-hayabusa-74d9c78bb5-ttkv4 1/1 Running 0 34s +# openrelik-worker-plaso-78ffb5b75-dmnnc 1/1 Running 0 34s +# openrelik-worker-strings-9648dfbf-b5s55 1/1 Running 0 33s +``` + +#### 2.2.6. Initialise the Openrelik DB + +```console +export SERVER_POD=$(kubectl get pod -l app=server -n openrelik -o jsonpath="{.items[0].metadata.name}") +kubectl exec -it ${SERVER_POD} -n openrelik -c openrelik-server -- \ + bash -c 'cd /app/openrelik/datastores/sql && \ + export SQLALCHEMY_DATABASE_URL=$(grep database_url /var/config/settings.toml | sed "s/database_url = //" | sed "s/\"//g") && \ + alembic upgrade head' +``` + +#### 2.2.7. Create the ```admin``` user + +```console +export USER_PWD="" +export SERVER_POD=$(kubectl get pod -l app=server -n openrelik -o jsonpath="{.items[0].metadata.name}") +kubectl exec -it ${SERVER_POD} -n openrelik -c openrelik-server -- \ + bash -c "python admin.py create-user admin --password ${USER_PWD} --admin" +``` + +## 3. Connect to the UI + +Run the command below and then point your browser to the displayed URL: + +```console +echo "https://$OPENRELIK_HOSTNAME" +``` + +## 4. Cleaning up + +We recommend that you clean up the installation after you are done with your testing to avoid any future charges. +To do so you have two options to clean up the installation. + +1. Delete the Google Cloud Project and with it all the resources contained in it. +2. Build back sequentially what we installed (this can be useful in case you want to make some adjustments and re-install bits an pieces). + +### 3.1. Delete the Google Cloud Project + +You can delete the entire Google Cloud Project (and all resources contained in it) by going to the [Resource Manager](https://console.cloud.google.com/cloud-resource-manager), select your Project and delete it (you will need to confirm your action by copying the Project ID). +You can find more info in the [online documentation](https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects). + +### 3.2. Build back sequentially + +Sequentially building back the installation can be useful for cases where you would like to make some adjustments to your current installtion. +For such cases just build back as far as needed to make your adjustments and then roll forward the installation again following the original instructions. + +To uninstall/delete a Helm deployment with a release name of `openrelik-on-k8s`: + +```console +helm uninstall openrelik-on-k8s +``` + +> **Tip**: Please update based on the release name chosen. You can list all releases using `helm list` + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ---------------------------- | ------------------------------------- | ------- | +| `global.localData` | Allocates local PVC for data storage. | `true` | +| `global.useResourceRequests` | Allocates resources to the pods. | `false` | + +### OpenRelik parameters + +| Name | Description | Value | +| -------------------------------------- | --------------------------------------------------- | --------------------------------------------------------------- | +| `openrelik.mediator.image` | Sets the OpenRelik mediator container image to use. | `ghcr.io/openrelik/openrelik-mediator:2024.12.12` | +| `openrelik.mediator.replicas` | Sets the amount of OpenRelik mediator pods to run. | `1` | +| `openrelik.server.image` | Sets the OpenRelik server container image to use. | `ghcr.io/openrelik/openrelik-server:2024.12.12` | +| `openrelik.server.port` | Sets the OpenRelik server port to use. | `8710` | +| `openrelik.server.replicas` | Sets the amount of OpenRelik server pods to run. | `1` | +| `openrelik.server.url` | Sets the OpenRelik server URL to use. | `` | +| `openrelik.ui.image` | Sets the OpenRelik UI container image to use. | `ghcr.io/openrelik/openrelik-ui:2024.12.12` | +| `openrelik.ui.port` | Sets the OpenRelik UI port to use. | `8711` | +| `openrelik.ui.replicas` | Sets the amount of OpenRelik UI pods to run. | `1` | +| `openrelik.worker.analyzer.image` | Sets the analyzer-config container image to use. | `ghcr.io/openrelik/openrelik-worker-analyzer-config:2024.11.27` | +| `openrelik.worker.analyzer.replicas` | Sets the amount of analyzer-config pods to run. | `1` | +| `openrelik.worker.extraction.image` | Sets the extraction container image to use. | `ghcr.io/openrelik/openrelik-worker-extraction:2024.11.27` | +| `openrelik.worker.extraction.replicas` | Sets the amount of extraction pods to run. | `1` | +| `openrelik.worker.hayabusa.image` | Sets the hayabusa container image to use. | `ghcr.io/openrelik/openrelik-worker-hayabusa:2024.11.27` | +| `openrelik.worker.hayabusa.replicas` | Sets the amount of hayabusa pods to run. | `1` | +| `openrelik.worker.plaso.image` | Sets the plaso container image to use. | `ghcr.io/openrelik/openrelik-worker-plaso:2024.11.27` | +| `openrelik.worker.plaso.replicas` | Sets the amount of plaso pods to run. | `1` | +| `openrelik.worker.strings.image` | Sets the strings container image to use. | `ghcr.io/openrelik/openrelik-worker-strings:2024.11.27` | +| `openrelik.worker.strings.replicas` | Sets the amount of strings pods to run. | `1` | + +### Postgres parameters + +| Name | Description | Value | +| ------------------------------- | -------------------------------------------------------------------- | ---------------------------------- | +| `postgres.db` | Sets the Postgres DB name. | `openrelik` | +| `postgres.image` | Sets the strings container image to use. | `postgres:17` | +| `postgres.managedSecret` | Enables a managed secret for the Postgres DB password. | `false` | +| `postgres.managedSecretVersion` | Sets the version of the managed secret for the Postgres DB password. | `1` | +| `postgres.password` | Sets the Postgres DB password. | `` | +| `postgres.user` | Sets the Postgres DB user name. | `` | +| `postgres.selfManaged` | Enables a Postgres DB containter to be deployed into the cluster. | `true` | + +### Redis parameters + +| Name | Description | Value | +| ------------------- | ----------------------------------------------------------- | ------------------------ | +| `redis.image` | Sets the strings container image to use. | `redis:7` | +| `redis.url` | Sets the Redis URL. | `redis://svc-redis:6379` | +| `redis.selfManaged` | Enables a Redis containter to be deployed into the cluster. | `true` | + +### Filestore parameters + +| Name | Description | Value | +| ------------------- | --------------------------------------------------------- | ------- | +| `filestore.managed` | Enables a Google Cloud Filestore instance to be deployed. | `false` | + +### Gateway API parameters + +| Name | Description | Value | +| ----------------- | --------------------------------------------------------- | ------- | +| `gateway.managed` | Enables a Gateway API Global Loadbalancer to be deployed. | `false` | + +Copyright © 2025 OpenRelik + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/helm/config.sh b/helm/config.sh new file mode 100755 index 0000000..3dc8c6b --- /dev/null +++ b/helm/config.sh @@ -0,0 +1,136 @@ +#!/bin/bash + +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#set -x + +cat << "EOF" + + ____ _____ _ _ _ + / __ \ | __ \ | (_) | + | | | |_ __ ___ _ __ | |__) |___| |_| | __ + | | | | '_ \ / _ \ '_ \| _ // _ \ | | |/ / + | |__| | |_) | __/ | | | | \ \ __/ | | < + \____/| .__/ \___|_| |_|_| \_\___|_|_|_|\_\ + | | + |_| + +EOF + +OPENRELIK_API_URL="http://localhost:8710" +OPENRELIK_URL="http://localhost:8711" + +if [[ "$1" == "cloud" ]]; then + OPENRELIK_API_HOSTNAME="openrelik.${OPENRELIK_HOSTNAME}" + OPENRELIK_API_URL="https:\/\/${OPENRELIK_API_HOSTNAME}" + OPENRELIK_URL="https:\/\/${OPENRELIK_HOSTNAME}" + echo "CERTIFICATE_NAME: ${CERTIFICATE_NAME}" + echo "OPENRELIK_HOSTNAME: ${OPENRELIK_HOSTNAME}" + echo "PROJECT: ${PROJECT}" + echo "REDIS_ADDRESS: ${REDIS_ADDRESS}" + echo "ZONE: ${ZONE}" +elif [[ "$1" == "local" ]]; then + ENABLE_GCP=false + OPENRELIK_DB="openrelik" + OPENRELIK_DB_ADDRESS="svc-postgres" + OPENRELIK_DB_USER="openrelik" + PROJECT="none" + ZONE="none" +else + echo "usage: config.sh [cloud|local]" + exit +fi + +# Generates a random string of a specified length using characters from a defined set. +function generate_random_string() { + local charset="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + local length=32 + openssl rand -base64 32 | tr -dc "$charset" | fold -w "$length" | head -n 1 +} + +# This function replaces all occurrences of a search pattern within a specified file +# with a given replacement value. It ensures compatibility with both GNU and BSD +# versions of the 'sed' command. +replace_in_file() { + local search_pattern="$1" + local replacement_value="$2" + local filename="$3" + # Portable sed usage: handle both GNU and BSD sed + if sed --version 2>&1 | grep -q GNU; then + sed -i "s#${search_pattern}#${replacement_value}#g" "${filename}" + else + sed -i "" "s#${search_pattern}#${replacement_value}#g" "${filename}" + fi +} + +# Setup variables +echo -e "\033[1;34m[1/8] Setting up variables...\033[0m\c" +STORAGE_PATH="\/usr\/share\/openrelik\/data\/artifacts" +POSTGRES_PASSWORD="$(generate_random_string)" +RANDOM_JWT_STRING="$(generate_random_string)" +RANDOM_SESSION_STRING="$(generate_random_string)" +echo -e "\r\033[1;32m[1/8] Setting up variables... Done\033[0m" + +echo "ENABLE_GCP: ${ENABLE_GCP}" +echo "OPENRELIK_API_HOSTNAME: ${OPENRELIK_API_HOSTNAME}" +echo "OPENRELIK_API_URL: ${OPENRELIK_API_URL}" +echo "OPENRELIK_DB: ${OPENRELIK_DB}" +echo "OPENRELIK_DB_ADDRESS: ${OPENRELIK_DB_ADDRESS}" +echo "OPENRELIK_DB_USER: ${OPENRELIK_DB_USER}" +echo "OPENRELIK_URL: ${OPENRELIK_URL}" +echo "RANDOM_JWT_STRING: ${RANDOM_JWT_STRING}" +echo "RANDOM_SESSION_STRING: ${RANDOM_SESSION_STRING}" +echo "STORAGE_PATH: ${STORAGE_PATH}" + +# Fetch installation files +echo -e "\033[1;34m[2/8] Copying settings file...\033[0m\c" +cp settings_template.toml settings.toml +echo -e "\r\033[1;32m[2/8] Copying settings file... Done\033[0m" + +# Replace placeholder values in settings.toml +echo -e "\033[1;34m[3/8] Configuring settings...\033[0m\c" +replace_in_file "" "${OPENRELIK_URL}" "settings.toml" +replace_in_file "" "${OPENRELIK_API_URL}" "settings.toml" +replace_in_file "" "${ENABLE_GCP}" "settings.toml" +replace_in_file "" "${OPENRELIK_DB}" "settings.toml" +replace_in_file "" "${OPENRELIK_DB_USER}" "settings.toml" +replace_in_file "" "${OPENRELIK_DB_ADDRESS}" "settings.toml" +replace_in_file "" "${PROJECT}" "settings.toml" +replace_in_file "" "${RANDOM_SESSION_STRING}" "settings.toml" +replace_in_file "" "${RANDOM_JWT_STRING}" "settings.toml" +replace_in_file "" "${STORAGE_PATH}" "settings.toml" +replace_in_file "" "${OPENRELIK_URL}" "settings.toml" +replace_in_file "" "${ZONE}" "settings.toml" + +if [[ "$1" == "cloud" ]]; then +# Replace placeholders in values-gcp.yaml +replace_in_file "" "${OPENRELIK_API_HOSTNAME}" "values-gcp.yaml" +replace_in_file "" "${OPENRELIK_API_URL}" "values-gcp.yaml" +replace_in_file "" "${CERTIFICATE_NAME}" "values-gcp.yaml" +replace_in_file "" "${PROJECT}" "values-gcp.yaml" +replace_in_file "" "redis:\/\/${REDIS_ADDRESS}:6379" "values-gcp.yaml" +replace_in_file "" "${OPENRELIK_HOSTNAME}" "values-gcp.yaml" +fi + +if [[ "$1" == "local" ]]; then +# Replace placeholders in values.yaml +replace_in_file "" "${POSTGRES_PASSWORD}" "settings.toml" +replace_in_file "" "${OPENRELIK_API_URL}" "values.yaml" +replace_in_file "" "${POSTGRES_PASSWORD}" "values.yaml" +replace_in_file "" "${OPENRELIK_DB_USER}" "values.yaml" +fi +echo -e "\r\033[1;32m[3/8] Configuration settings... Done\033[0m" + +mkdir -p templates/configmap +kubectl create configmap cm-settings --dry-run=client -o=yaml --from-file=settings.toml -n openrelik > templates/configmap/cm-settings.yaml diff --git a/helm/filestore/pvc-filestore.yaml b/helm/filestore/pvc-filestore.yaml new file mode 100644 index 0000000..d36f9af --- /dev/null +++ b/helm/filestore/pvc-filestore.yaml @@ -0,0 +1,12 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: pvc-filestore + namespace: openrelik +spec: + accessModes: + - ReadWriteMany + storageClassName: sc-ms-512 + resources: + requests: + storage: 512Gi diff --git a/helm/filestore/sc-ms-512.yaml b/helm/filestore/sc-ms-512.yaml new file mode 100644 index 0000000..33122a6 --- /dev/null +++ b/helm/filestore/sc-ms-512.yaml @@ -0,0 +1,13 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: sc-ms-512 + namespace: openrelik +provisioner: filestore.csi.storage.gke.io +parameters: + tier: enterprise + multishare: "true" + max-volume-size: "512Gi" + network: gke-vpc +volumeBindingMode: Immediate +allowVolumeExpansion: true diff --git a/helm/settings_template.toml b/helm/settings_template.toml new file mode 100644 index 0000000..a60bbe4 --- /dev/null +++ b/helm/settings_template.toml @@ -0,0 +1,68 @@ +[server] + +# This should be set to the URL of your backend server. +api_server_url = "" + +# This should be set to the URL of your frontend server. +ui_server_url = "" + +# This should be set to the URL of your frontend server. +allowed_origins = [""] + +# Path to files +storage_path = "" + +[datastores.sqlalchemy] +# Postgresql: postgresql://user:password@postgresserver/db +database_url = "postgresql://:@/" + +[auth] +# Secret key for the Session middleware and JWT signing. +# IMPORTANT: Create a random string, e.g: openssl rand -base64 32 +secret_session_key = "" +secret_jwt_key = "" + +# Algorithm to use for JWT. +jwt_algorithm = "HS256" + +# UI token expiration in minutes. +jwt_cookie_refresh_expire_minutes = 1440 # 24 hours +jwt_cookie_access_expire_minutes = 720 # 12 hours + +# API key token expiration in minutes, if not set by the user upon creation. +jwt_header_default_refresh_expire_minutes = 10080 # 7 days +jwt_header_default_access_expire_minutes = 5 # 5 minutes + +[auth.google] +# Google OAuth authentication. You need to create credentials in a Google Cloud project: +# https://developers.google.com/workspace/guides/create-credentials#oauth-client-id +client_id = "" +client_secret = "" + +# Restrict logins from a Google Workspace domain. +# Empty value = any domain, including gmail.com +workspace_domain = "" + +# Allow only these users (email address) to access the server. +allowlist = ["@gmail.com"] + +# Allow anyone (who is authenitcated) to access the server. +# Note: If a workspace_domain is set then the public_access is limited to that domain. +# WARNING: This allows anyone to login to your server! +public_access = false + +[ui] +# data_types that will be rendered using unescaped HTML in a sandboxed iframe in the +# frontend UI. +allowed_data_types_preview = [ + "openrelik:hayabusa:html_report" +] + +# Enable cloud features such as adding cloud disks. +# This requires your OpenRelik installation to run on cloud VMs. +[cloud.gcp] +name = "gcp" +display_name = "Google Cloud Platform" +project_name = "" +zone = "" +enabled = "" diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..1bee082 --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "openrelik.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "openrelik.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "openrelik.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "openrelik.labels" -}} +helm.sh/chart: {{ include "openrelik.chart" . }} +{{ include "openrelik.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "openrelik.selectorLabels" -}} +app.kubernetes.io/name: {{ include "openrelik.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "openrelik.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "openrelik.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/templates/deployment/dpl-mediator.yaml b/helm/templates/deployment/dpl-mediator.yaml new file mode 100644 index 0000000..d75f02e --- /dev/null +++ b/helm/templates/deployment/dpl-mediator.yaml @@ -0,0 +1,97 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-mediator + namespace: openrelik + labels: + app: mediator +spec: + replicas: {{ .Values.openrelik.mediator.replicas }} + selector: + matchLabels: + app: mediator + strategy: + type: Recreate + template: + metadata: + labels: + app: mediator + spec: + serviceAccountName: openrelik-sa + initContainers: + - name: create-dirs + image: busybox:1.37 + command: ['sh', '-c', "mkdir -p /usr/share/openrelik/data/artifacts; mkdir -p /usr/share/openrelik/config"] + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + {{- if .Values.postgres.managedSecret }} + - name: init-server + image: busybox:1.37.0 + command: ["/bin/sh", "-c"] + args: ["export DB_PWD=$(cat /var/secrets/password.txt); cp /etc/openrelik/settings.toml /var/config/settings.toml; sed -i \"s//$DB_PWD/g\" /var/config/settings.toml"] + volumeMounts: + - name: vol-openrelik-db-sec + mountPath: /var/secrets + - name: vol-settings + mountPath: /etc/openrelik/settings.toml + subPath: settings.toml + - name: vol-config + mountPath: /var/config + {{- end }} + containers: + - name: openrelik-mediator + image: {{ .Values.openrelik.mediator.image }} + {{- if .Values.global.useResourceRequests }} + resources: + requests: + memory: "2Gi" + cpu: "1000m" + {{- end }} + args: + - python + - mediator.py + env: + - name: OPENRELIK_SERVER_SETTINGS + value: /var/config/settings.toml + - name: PYTHONUNBUFFERED + value: "1" + - name: REDIS_URL + value: {{ .Values.redis.url }} + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + {{- if .Values.filestore.managed }} + - name: vol-config + mountPath: /var/config + {{- end }} + {{- if .Values.global.localData }} + - name: vol-settings + mountPath: /var/config/settings.toml + subPath: settings.toml + {{- end }} + restartPolicy: Always + volumes: + - name: vol-settings + configMap: + name: cm-settings + {{- if .Values.global.localData }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-local + {{- end }} + {{- if .Values.filestore.managed }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-filestore + {{- end }} + {{- if .Values.postgres.managedSecret }} + - name: vol-openrelik-db-sec + csi: + driver: secrets-store-gke.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: sec-openrelik-db + - name: vol-config + emptyDir: {} + {{- end }} diff --git a/helm/templates/deployment/dpl-postgres.yaml b/helm/templates/deployment/dpl-postgres.yaml new file mode 100644 index 0000000..44a1cc0 --- /dev/null +++ b/helm/templates/deployment/dpl-postgres.yaml @@ -0,0 +1,39 @@ +{{- if .Values.postgres.selfManaged }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-postgres + namespace: openrelik + labels: + app: openrelik-postgres +spec: + replicas: 1 + selector: + matchLabels: + app: openrelik-postgres + template: + metadata: + labels: + app: openrelik-postgres + spec: + containers: + - name: openrelik-postgres + image: {{ .Values.postgres.image }} + ports: + - containerPort: 5432 + env: + - name: POSTGRES_DB + value: {{ .Values.postgres.db }} + - name: POSTGRES_USER + value: {{ .Values.postgres.user }} + - name: POSTGRES_PASSWORD + value: {{ .Values.postgres.password }} + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: vol-postgres + restartPolicy: Always + volumes: + - name: vol-postgres + persistentVolumeClaim: + claimName: pvc-postgres +{{- end }} diff --git a/helm/templates/deployment/dpl-redis.yaml b/helm/templates/deployment/dpl-redis.yaml new file mode 100644 index 0000000..1258919 --- /dev/null +++ b/helm/templates/deployment/dpl-redis.yaml @@ -0,0 +1,28 @@ +{{- if .Values.redis.selfManaged }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-redis + namespace: openrelik + labels: + app: openrelik-redis +spec: + replicas: 1 + selector: + matchLabels: + app: openrelik-redis + template: + metadata: + labels: + app: openrelik-redis + spec: + containers: + - name: openrelik-redis + args: + - redis-server + image: {{ .Values.redis.image }} + ports: + - containerPort: 6379 + protocol: TCP + restartPolicy: Always +{{- end }} diff --git a/helm/templates/deployment/dpl-server.yaml b/helm/templates/deployment/dpl-server.yaml new file mode 100644 index 0000000..9dc2001 --- /dev/null +++ b/helm/templates/deployment/dpl-server.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-server + namespace: openrelik + labels: + app: server +spec: + replicas: {{ .Values.openrelik.server.replicas }} + selector: + matchLabels: + app: server + strategy: + type: Recreate + template: + metadata: + labels: + app: server + spec: + serviceAccountName: openrelik-sa + initContainers: + - name: create-dirs + image: busybox:1.37 + command: ['sh', '-c', "mkdir -p /usr/share/openrelik/data/artifacts; mkdir -p /usr/share/openrelik/config"] + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + {{- if .Values.postgres.managedSecret }} + - name: init-server + image: busybox:1.37.0 + command: ["/bin/sh", "-c"] + args: ["export DB_PWD=$(cat /var/secrets/password.txt); cp /etc/openrelik/settings.toml /var/config/settings.toml; sed -i \"s//$DB_PWD/g\" /var/config/settings.toml"] + volumeMounts: + - name: vol-openrelik-db-sec + mountPath: /var/secrets + - name: vol-settings + mountPath: /etc/openrelik/settings.toml + subPath: settings.toml + - name: vol-config + mountPath: /var/config + {{- end }} + containers: + - name: openrelik-server + image: {{ .Values.openrelik.server.image }} + {{- if .Values.global.useResourceRequests }} + resources: + requests: + memory: "2Gi" + cpu: "1000m" + {{- end }} + args: + - uvicorn + - main:app + - --proxy-headers + - --forwarded-allow-ips + - '*' + - --workers + - "1" + - --host + - 0.0.0.0 + - --port + - "{{ .Values.openrelik.server.port }}" + env: + - name: OPENRELIK_SERVER_SETTINGS + value: /var/config/settings.toml + - name: REDIS_URL + value: {{ .Values.redis.url }} + ports: + - containerPort: {{ .Values.openrelik.server.port }} + protocol: TCP + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + {{- if .Values.global.localData }} + - name: vol-settings + mountPath: /var/config/settings.toml + subPath: settings.toml + {{- end }} + {{- if .Values.filestore.managed }} + - name: vol-config + mountPath: /var/config + {{- end }} + restartPolicy: Always + volumes: + - name: vol-settings + configMap: + name: cm-settings + {{- if .Values.global.localData }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-local + {{- end }} + {{- if .Values.filestore.managed }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-filestore + {{- end }} + {{- if .Values.postgres.managedSecret }} + - name: vol-openrelik-db-sec + csi: + driver: secrets-store-gke.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: sec-openrelik-db + - name: vol-config + emptyDir: {} + {{- end }} diff --git a/helm/templates/deployment/dpl-ui.yaml b/helm/templates/deployment/dpl-ui.yaml new file mode 100644 index 0000000..fef88d3 --- /dev/null +++ b/helm/templates/deployment/dpl-ui.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-ui + namespace: openrelik + labels: + app: ui +spec: + replicas: {{ .Values.openrelik.ui.replicas }} + selector: + matchLabels: + app: ui + template: + metadata: + labels: + app: ui + spec: + containers: + - name: openrelik-ui + image: {{ .Values.openrelik.ui.image }} + {{- if .Values.global.useResourceRequests }} + resources: + requests: + memory: "2Gi" + cpu: "1000m" + {{- end }} + env: + - name: OPENRELIK_API_VERSION + value: v1 + - name: OPENRELIK_AUTH_METHODS + value: local + - name: OPENRELIK_SERVER_URL + value: '{{ .Values.openrelik.server.url }}' + ports: + - containerPort: {{ .Values.openrelik.ui.port }} + protocol: TCP + restartPolicy: Always diff --git a/helm/templates/deployment/dpl-worker-analyzer-config.yaml b/helm/templates/deployment/dpl-worker-analyzer-config.yaml new file mode 100644 index 0000000..0caa7c8 --- /dev/null +++ b/helm/templates/deployment/dpl-worker-analyzer-config.yaml @@ -0,0 +1,62 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-worker-analyzer-config + namespace: openrelik + labels: + worker: analyzer-config +spec: + replicas: {{ .Values.openrelik.worker.analyzer.replicas }} + selector: + matchLabels: + worker: analyzer-config + strategy: + type: Recreate + template: + metadata: + labels: + worker: analyzer-config + spec: + initContainers: + - name: create-dirs + image: busybox:1.37 + command: ['sh', '-c', "mkdir -p /usr/share/openrelik/data/artifacts; mkdir -p /usr/share/openrelik/config"] + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + containers: + - name: openrelik-worker-analyzer-config + image: {{ .Values.openrelik.worker.analyzer.image }} + {{- if .Values.global.useResourceRequests }} + resources: + requests: + memory: "2Gi" + cpu: "1000m" + {{- end }} + args: + - celery + - --app=src.app + - worker + - --task-events + - --concurrency=4 + - --loglevel=INFO + - -Q + - openrelik-worker-analyzer-config + env: + - name: REDIS_URL + value: {{ .Values.redis.url }} + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + restartPolicy: Always + volumes: + {{- if .Values.global.localData }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-local + {{- end }} + {{- if .Values.filestore.managed }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-filestore + {{- end }} diff --git a/helm/templates/deployment/dpl-worker-extraction.yaml b/helm/templates/deployment/dpl-worker-extraction.yaml new file mode 100644 index 0000000..ae62fba --- /dev/null +++ b/helm/templates/deployment/dpl-worker-extraction.yaml @@ -0,0 +1,64 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-worker-extraction + namespace: openrelik + labels: + worker: extraction +spec: + replicas: {{ .Values.openrelik.worker.extraction.replicas }} + selector: + matchLabels: + worker: extraction + strategy: + type: Recreate + template: + metadata: + labels: + worker: extraction + spec: + initContainers: + - name: create-dirs + image: busybox:1.37 + command: ['sh', '-c', "mkdir -p /usr/share/openrelik/data/artifacts; mkdir -p /usr/share/openrelik/config"] + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + containers: + - name: openrelik-worker-extraction + image: {{ .Values.openrelik.worker.extraction.image }} + {{- if .Values.global.useResourceRequests }} + resources: + requests: + memory: "2Gi" + cpu: "1000m" + {{- end }} + args: + - celery + - --app=src.app + - worker + - --task-events + - --concurrency=2 + - --loglevel=INFO + - -Q + - openrelik-worker-extraction + env: + - name: OPENRELIK_PYDEBUG + value: "0" + - name: REDIS_URL + value: {{ .Values.redis.url }} + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + restartPolicy: Always + volumes: + {{- if .Values.global.localData }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-local + {{- end }} + {{- if .Values.filestore.managed }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-filestore + {{- end }} diff --git a/helm/templates/deployment/dpl-worker-hayabusa.yaml b/helm/templates/deployment/dpl-worker-hayabusa.yaml new file mode 100644 index 0000000..b2feddf --- /dev/null +++ b/helm/templates/deployment/dpl-worker-hayabusa.yaml @@ -0,0 +1,62 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-worker-hayabusa + namespace: openrelik + labels: + worker: hayabusa +spec: + replicas: {{ .Values.openrelik.worker.hayabusa.replicas }} + selector: + matchLabels: + worker: hayabusa + strategy: + type: Recreate + template: + metadata: + labels: + worker: hayabusa + spec: + initContainers: + - name: create-dirs + image: busybox:1.37 + command: ['sh', '-c', "mkdir -p /usr/share/openrelik/data/artifacts; mkdir -p /usr/share/openrelik/config"] + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + containers: + - name: openrelik-worker-hayabusa + image: {{ .Values.openrelik.worker.hayabusa.image }} + {{- if .Values.global.useResourceRequests }} + resources: + requests: + memory: "2Gi" + cpu: "1000m" + {{- end }} + args: + - celery + - --app=src.app + - worker + - --task-events + - --concurrency=4 + - --loglevel=INFO + - -Q + - openrelik-worker-hayabusa + env: + - name: REDIS_URL + value: {{ .Values.redis.url }} + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + restartPolicy: Always + volumes: + {{- if .Values.global.localData }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-local + {{- end }} + {{- if .Values.filestore.managed }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-filestore + {{- end }} diff --git a/helm/templates/deployment/dpl-worker-plaso.yaml b/helm/templates/deployment/dpl-worker-plaso.yaml new file mode 100644 index 0000000..49ed8ad --- /dev/null +++ b/helm/templates/deployment/dpl-worker-plaso.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-worker-plaso + namespace: openrelik + labels: + worker: plaso +spec: + replicas: {{ .Values.openrelik.worker.plaso.replicas }} + selector: + matchLabels: + worker: plaso + strategy: + type: Recreate + template: + metadata: + labels: + worker: plaso + spec: + initContainers: + - name: create-dirs + image: busybox:1.37 + command: ['sh', '-c', "mkdir -p /usr/share/openrelik/data/artifacts; mkdir -p /usr/share/openrelik/config"] + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + containers: + - name: openrelik-worker-plaso + image: {{ .Values.openrelik.worker.plaso.image }} + {{- if .Values.global.useResourceRequests }} + resources: + requests: + memory: "2Gi" + cpu: "1000m" + {{- end }} + args: + - celery + - --app=src.app + - worker + - --task-events + - --concurrency=2 + - --loglevel=INFO + - -Q + - openrelik-worker-plaso + env: + - name: OPENRELIK_PYDEBUG + value: "0" + - name: OPENRELIK_PYDEBUG_PORT + value: "5678" + - name: REDIS_URL + value: {{ .Values.redis.url }} + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + restartPolicy: Always + volumes: + {{- if .Values.global.localData }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-local + {{- end }} + {{- if .Values.filestore.managed }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-filestore + {{- end }} diff --git a/helm/templates/deployment/dpl-worker-strings.yaml b/helm/templates/deployment/dpl-worker-strings.yaml new file mode 100644 index 0000000..7c1b939 --- /dev/null +++ b/helm/templates/deployment/dpl-worker-strings.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openrelik-worker-strings + namespace: openrelik + labels: + worker: strings +spec: + replicas: {{ .Values.openrelik.worker.plaso.replicas }} + strategy: + type: Recreate + selector: + matchLabels: + worker: strings + template: + metadata: + labels: + worker: strings + spec: + initContainers: + - name: create-dirs + image: busybox:1.37 + command: ['sh', '-c', "mkdir -p /usr/share/openrelik/data/artifacts; mkdir -p /usr/share/openrelik/config"] + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + containers: + - name: openrelik-worker-strings + image: {{ .Values.openrelik.worker.strings.image }} + {{- if .Values.global.useResourceRequests }} + resources: + requests: + memory: "2Gi" + cpu: "1000m" + {{- end }} + args: + - celery + - --app=src.app + - worker + - --task-events + - --concurrency=4 + - --loglevel=INFO + - -Q + - openrelik-worker-strings + env: + - name: OPENRELIK_PYDEBUG + value: "0" + - name: OPENRELIK_PYDEBUG_PORT + value: "5678" + - name: REDIS_URL + value: {{ .Values.redis.url }} + volumeMounts: + - name: vol-data + mountPath: /usr/share/openrelik + restartPolicy: Always + volumes: + {{- if .Values.global.localData }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-local + {{- end }} + {{- if .Values.filestore.managed }} + - name: vol-data + persistentVolumeClaim: + claimName: pvc-filestore + {{- end }} diff --git a/helm/templates/gateway/gw-openrelik.yaml b/helm/templates/gateway/gw-openrelik.yaml new file mode 100644 index 0000000..35bad4f --- /dev/null +++ b/helm/templates/gateway/gw-openrelik.yaml @@ -0,0 +1,20 @@ +{{- if .Values.gateway.managed }} +kind: Gateway +apiVersion: gateway.networking.k8s.io/v1beta1 +metadata: + name: openrelik-external + namespace: openrelik +spec: + gatewayClassName: gke-l7-global-external-managed + listeners: + - name: https + protocol: HTTPS + port: 443 + tls: + mode: Terminate + options: + networking.gke.io/pre-shared-certs: {{ .Values.gateway.certificateName }} + addresses: + - type: NamedAddress + value: openrelik-frontend +{{- end }} diff --git a/helm/templates/gateway/hc-server.yaml b/helm/templates/gateway/hc-server.yaml new file mode 100644 index 0000000..d865072 --- /dev/null +++ b/helm/templates/gateway/hc-server.yaml @@ -0,0 +1,23 @@ +{{- if .Values.gateway.managed }} +apiVersion: networking.gke.io/v1 +kind: HealthCheckPolicy +metadata: + name: hc-server + namespace: openrelik +spec: + default: + checkIntervalSec: 5 + timeoutSec: 5 + healthyThreshold: 3 + unhealthyThreshold: 3 + logConfig: + enabled: true + config: + type: TCP + httpHealthCheck: + port: {{ .Values.openrelik.server.port }} + targetRef: + group: "" + kind: Service + name: svc-server +{{- end }} diff --git a/helm/templates/gateway/hc-ui.yaml b/helm/templates/gateway/hc-ui.yaml new file mode 100644 index 0000000..fcc31de --- /dev/null +++ b/helm/templates/gateway/hc-ui.yaml @@ -0,0 +1,23 @@ +{{- if .Values.gateway.managed }} +apiVersion: networking.gke.io/v1 +kind: HealthCheckPolicy +metadata: + name: hc-ui + namespace: openrelik +spec: + default: + checkIntervalSec: 5 + timeoutSec: 5 + healthyThreshold: 3 + unhealthyThreshold: 3 + logConfig: + enabled: true + config: + type: TCP + httpHealthCheck: + port: {{ .Values.openrelik.ui.port }} + targetRef: + group: "" + kind: Service + name: svc-ui +{{- end }} diff --git a/helm/templates/gateway/rte-server.yaml b/helm/templates/gateway/rte-server.yaml new file mode 100644 index 0000000..0f3ec6b --- /dev/null +++ b/helm/templates/gateway/rte-server.yaml @@ -0,0 +1,17 @@ +{{- if .Values.gateway.managed }} +kind: HTTPRoute +apiVersion: gateway.networking.k8s.io/v1beta1 +metadata: + name: rte-server + namespace: openrelik +spec: + parentRefs: + - kind: Gateway + name: openrelik-external + hostnames: + - "{{ .Values.openrelik.server.hostname }}" + rules: + - backendRefs: + - name: svc-server + port: {{ .Values.openrelik.server.port }} +{{- end }} diff --git a/helm/templates/gateway/rte-ui.yaml b/helm/templates/gateway/rte-ui.yaml new file mode 100644 index 0000000..be90ebc --- /dev/null +++ b/helm/templates/gateway/rte-ui.yaml @@ -0,0 +1,17 @@ +{{- if .Values.gateway.managed }} +kind: HTTPRoute +apiVersion: gateway.networking.k8s.io/v1beta1 +metadata: + name: rte-ui + namespace: openrelik +spec: + parentRefs: + - kind: Gateway + name: openrelik-external + hostnames: + - "{{ .Values.openrelik.ui.hostname }}" + rules: + - backendRefs: + - name: svc-ui + port: {{ .Values.openrelik.ui.port }} +{{- end }} diff --git a/helm/templates/namespace/ns-openrelik.yaml b/helm/templates/namespace/ns-openrelik.yaml new file mode 100644 index 0000000..2690a96 --- /dev/null +++ b/helm/templates/namespace/ns-openrelik.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openrelik + labels: + app.kubernetes.io/managed-by: "Helm" + annotations: + meta.helm.sh/release-name: "openrelik-on-k8s" + meta.helm.sh/release-namespace: "default" diff --git a/helm/templates/secret/sec-openrelik-db.yaml b/helm/templates/secret/sec-openrelik-db.yaml new file mode 100644 index 0000000..bd1c635 --- /dev/null +++ b/helm/templates/secret/sec-openrelik-db.yaml @@ -0,0 +1,13 @@ +{{- if .Values.postgres.managedSecret }} +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: sec-openrelik-db + namespace: openrelik +spec: + provider: gke + parameters: + secrets: | + - resourceName: "projects/{{ .Values.global.projectId }}/secrets/openrelik/versions/{{ .Values.postgres.managedSecretVersion }}" + path: "password.txt" +{{- end }} diff --git a/helm/templates/service/svc-postgres.yaml b/helm/templates/service/svc-postgres.yaml new file mode 100644 index 0000000..eee17ec --- /dev/null +++ b/helm/templates/service/svc-postgres.yaml @@ -0,0 +1,14 @@ +{{- if .Values.postgres.selfManaged }} +apiVersion: v1 +kind: Service +metadata: + name: svc-postgres + namespace: openrelik +spec: + ports: + - name: "postgres" + port: 5432 + targetPort: 5432 + selector: + app: openrelik-postgres +{{- end }} diff --git a/helm/templates/service/svc-redis.yaml b/helm/templates/service/svc-redis.yaml new file mode 100644 index 0000000..bce13af --- /dev/null +++ b/helm/templates/service/svc-redis.yaml @@ -0,0 +1,14 @@ +{{- if .Values.redis.selfManaged }} +apiVersion: v1 +kind: Service +metadata: + name: svc-redis + namespace: openrelik +spec: + ports: + - name: "redis" + port: 6379 + targetPort: 6379 + selector: + app: openrelik-redis +{{- end }} diff --git a/helm/templates/service/svc-server.yaml b/helm/templates/service/svc-server.yaml new file mode 100644 index 0000000..bf4f94d --- /dev/null +++ b/helm/templates/service/svc-server.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: svc-server + namespace: openrelik +spec: + ports: + - name: "server" + port: {{ .Values.openrelik.server.port }} + targetPort: {{ .Values.openrelik.server.port }} + selector: + app: server diff --git a/helm/templates/service/svc-ui.yaml b/helm/templates/service/svc-ui.yaml new file mode 100644 index 0000000..910fcd8 --- /dev/null +++ b/helm/templates/service/svc-ui.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: svc-ui + namespace: openrelik +spec: + ports: + - name: "ui" + port: {{ .Values.openrelik.ui.port }} + targetPort: {{ .Values.openrelik.ui.port }} + selector: + app: ui diff --git a/helm/templates/serviceaccount/sa-openrelik.yaml b/helm/templates/serviceaccount/sa-openrelik.yaml new file mode 100644 index 0000000..518f57e --- /dev/null +++ b/helm/templates/serviceaccount/sa-openrelik.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: openrelik-sa + namespace: openrelik diff --git a/helm/templates/volume/pvc-local.yaml b/helm/templates/volume/pvc-local.yaml new file mode 100644 index 0000000..3209cb8 --- /dev/null +++ b/helm/templates/volume/pvc-local.yaml @@ -0,0 +1,13 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: pvc-local + namespace: openrelik + labels: + app: openrelik +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Gi diff --git a/helm/templates/volume/pvc-postgres.yaml b/helm/templates/volume/pvc-postgres.yaml new file mode 100644 index 0000000..71e146e --- /dev/null +++ b/helm/templates/volume/pvc-postgres.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-postgres + namespace: openrelik + labels: + app: postgres +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi diff --git a/helm/values-gcp.yaml b/helm/values-gcp.yaml new file mode 100644 index 0000000..25cf4ac --- /dev/null +++ b/helm/values-gcp.yaml @@ -0,0 +1,137 @@ +## OpenRelik Helm Chart +## Please use this Helm chart for deploying OpenRelik to a Google Kubernetes Engine (GKE) environment. +## +## @section Global parameters +## +global: + ## @param global.localData Allocates local PVC for data storage. + ## + localData: false + ## @param global.projectId Sets the Google Cloud Project ID. + ## + projectId: + ## @param global.useResourceRequests Allocates resources to the pods. + ## + useResourceRequests: true + +## @section OpenRelik parameters +## +openrelik: + mediator: + ## @param openrelik.mediator.image Sets the OpenRelik mediator container image to use. + ## + image: "ghcr.io/openrelik/openrelik-mediator:2024.12.12" + ## @param openrelik.mediator.replicas Sets the amount of OpenRelik mediator pods to run. + ## + replicas: 1 + + server: + ## @param openrelik.server.hostname Sets the OpenRelik server hostname to use. + ## + hostname: + ## @param openrelik.server.image Sets the OpenRelik server container image to use. + ## + image: "ghcr.io/openrelik/openrelik-server:2024.12.12" + ## @param openrelik.server.port Sets the OpenRelik server port to use. + ## + port: 8710 + ## @param openrelik.server.replicas Sets the amount of OpenRelik server pods to run. + ## + replicas: 1 + ## @param openrelik.server.url Sets the OpenRelik server URL to use. + ## + url: + + ui: + ## @param openrelik.ui.hostname Sets the OpenRelik UI hostname to use. + ## + hostname: + ## @param openrelik.ui.image Sets the OpenRelik UI container image to use. + ## + image: "ghcr.io/openrelik/openrelik-ui:2024.12.12" + ## @param openrelik.ui.port Sets the OpenRelik UI port to use. + ## + port: 8711 + ## @param openrelik.ui.replicas Sets the amount of OpenRelik UI pods to run. + ## + replicas: 1 + + worker: + analyzer: + ## @param openrelik.worker.analyzer.image Sets the analyzer-config container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-analyzer-config:2024.11.27" + ## @param openrelik.worker.analyzer.replicas Sets the amount of analyzer-config pods to run. + ## + replicas: 1 + extraction: + ## @param openrelik.worker.extraction.image Sets the extraction container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-extraction:2024.11.27" + ## @param openrelik.worker.extraction.replicas Sets the amount of extraction pods to run. + ## + replicas: 1 + hayabusa: + ## @param openrelik.worker.hayabusa.image Sets the hayabusa container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-hayabusa:2024.11.27" + ## @param openrelik.worker.hayabusa.replicas Sets the amount of hayabusa pods to run. + ## + replicas: 1 + plaso: + ## @param openrelik.worker.plaso.image Sets the plaso container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-plaso:2024.11.27" + ## @param openrelik.worker.plaso.replicas Sets the amount of plaso pods to run. + ## + replicas: 1 + strings: + ## @param openrelik.worker.strings.image Sets the strings container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-strings:2024.11.27" + ## @param openrelik.worker.strings.replicas Sets the amount of strings pods to run. + ## + replicas: 1 + +## @section Postgres parameters +## +postgres: + ## @param postgres.managedSecret Enables a managed secret for the Postgres DB password. + ## + managedSecret: true + ## @param postgres.managedSecretVersion Sets the version of the managed secret for the Postgres DB password. + ## + managedSecretVersion: 1 + ## @param postgres.user Sets the Postgres DB user name. + ## + user: "openrelik" + ## @param postgres.selfManaged Enables a Postgres DB containter to be deployed into the cluster. + ## + selfManaged: false + +## @section Redis parameters +## +redis: + ## @param redis.url Sets the Redis URL. + ## + url: + ## @param redis.selfManaged Enables a Redis containter to be deployed into the cluster. + ## + selfManaged: false + +## @section Filestore parameters +## +filestore: + ## @param filestore.managed Enables a Google Cloud Filestore instance to be deployed. + ## + managed: true + +## @section Gateway API parameters +## +gateway: + ## @param gateway.certificateName Sets the name of the OpenRelik certificate. + ## + certificateName: + ## @param gateway.managed Enables a Gateway API Global Loadbalancer to be deployed. + ## + managed: true diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..b995f92 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,137 @@ +## OpenRelik Helm Chart +## Please use this Helm chart for deploying OpenRelik to a Kubernetes cluster. +## +## @section Global parameters +## +global: + ## @param global.localData Allocates local PVC for data storage. + ## + localData: true + ## @param global.useResourceRequests Allocates resources to the pods. + ## + useResourceRequests: false + +## @section OpenRelik parameters +## +openrelik: + mediator: + ## @param openrelik.mediator.image Sets the OpenRelik mediator container image to use. + ## + image: "ghcr.io/openrelik/openrelik-mediator:2024.12.12" + ## @param openrelik.mediator.replicas Sets the amount of OpenRelik mediator pods to run. + ## + replicas: 1 + + server: + ## @param openrelik.server.image Sets the OpenRelik server container image to use. + ## + image: "ghcr.io/openrelik/openrelik-server:2024.12.12" + ## @param openrelik.server.port Sets the OpenRelik server port to use. + ## + port: 8710 + ## @param openrelik.server.replicas Sets the amount of OpenRelik server pods to run. + ## + replicas: 1 + ## @param openrelik.server.url Sets the OpenRelik server URL to use. + ## + url: + + ui: + ## @param openrelik.ui.image Sets the OpenRelik UI container image to use. + ## + image: "ghcr.io/openrelik/openrelik-ui:2024.12.12" + ## @param openrelik.ui.port Sets the OpenRelik UI port to use. + ## + port: 8711 + ## @param openrelik.ui.replicas Sets the amount of OpenRelik UI pods to run. + ## + replicas: 1 + + worker: + analyzer: + ## @param openrelik.worker.analyzer.image Sets the analyzer-config container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-analyzer-config:2024.11.27" + ## @param openrelik.worker.analyzer.replicas Sets the amount of analyzer-config pods to run. + ## + replicas: 1 + extraction: + ## @param openrelik.worker.extraction.image Sets the extraction container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-extraction:2024.11.27" + ## @param openrelik.worker.extraction.replicas Sets the amount of extraction pods to run. + ## + replicas: 1 + hayabusa: + ## @param openrelik.worker.hayabusa.image Sets the hayabusa container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-hayabusa:2024.11.27" + ## @param openrelik.worker.hayabusa.replicas Sets the amount of hayabusa pods to run. + ## + replicas: 1 + plaso: + ## @param openrelik.worker.plaso.image Sets the plaso container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-plaso:2024.11.27" + ## @param openrelik.worker.plaso.replicas Sets the amount of plaso pods to run. + ## + replicas: 1 + strings: + ## @param openrelik.worker.strings.image Sets the strings container image to use. + ## + image: "ghcr.io/openrelik/openrelik-worker-strings:2024.11.27" + ## @param openrelik.worker.strings.replicas Sets the amount of strings pods to run. + ## + replicas: 1 + +## @section Postgres parameters +## +postgres: + ## @param postgres.db Sets the Postgres DB name. + ## + db: "openrelik" + ## @param postgres.image Sets the strings container image to use. + ## + image: "postgres:17" + ## @param postgres.managedSecret Enables a managed secret for the Postgres DB password. + ## + managedSecret: false + ## @param postgres.managedSecretVersion Sets the version of the managed secret for the Postgres DB password. + ## + managedSecretVersion: 1 + ## @param postgres.password Sets the Postgres DB password. + ## + password: "" + ## @param postgres.user Sets the Postgres DB user name. + ## + user: "" + ## @param postgres.selfManaged Enables a Postgres DB containter to be deployed into the cluster. + ## + selfManaged: true + +## @section Redis parameters +## +redis: + ## @param redis.image Sets the strings container image to use. + ## + image: "redis:7" + ## @param redis.url Sets the Redis URL. + ## + url: "redis://svc-redis:6379" + ## @param redis.selfManaged Enables a Redis containter to be deployed into the cluster. + ## + selfManaged: true + +## @section Filestore parameters +## +filestore: + ## @param filestore.managed Enables a Google Cloud Filestore instance to be deployed. + ## + managed: false + +## @section Gateway API parameters +## +gateway: + ## @param gateway.managed Enables a Gateway API Global Loadbalancer to be deployed. + ## + managed: false From 4e75cb443125d89ec0738cb2dce62f69c3fd4fef Mon Sep 17 00:00:00 2001 From: Dan Date: Sat, 11 Jan 2025 11:58:47 +0000 Subject: [PATCH 2/5] Fixes path to helm folder references --- cloud/README.md | 2 +- helm/README.md | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/cloud/README.md b/cloud/README.md index 3b8675b..35ed2e3 100644 --- a/cloud/README.md +++ b/cloud/README.md @@ -98,7 +98,7 @@ export ENABLE_GCP=true ## 3. Installing OpenRelik on GKE -You can continue with the instructions for [installing OpenRelik on GKE](../chart/README.md#22-installing-openrelik-on-gke). +You can continue with the instructions for [installing OpenRelik on GKE](../helm/README.md#22-installing-openrelik-on-gke). ## 4. Cleaning up diff --git a/helm/README.md b/helm/README.md index 6979335..bc036bb 100644 --- a/helm/README.md +++ b/helm/README.md @@ -24,14 +24,14 @@ minikube start minikube tunnel & # Create the configuration files -cd chart +cd helm ./config.sh local # Change back to the REPO directory cd $REPO # Install the OpenRelik Helm chart -helm install openrelik-on-k8s ./chart -f ./chart/values.yaml +helm install openrelik-on-k8s ./helm -f ./helm/values.yaml ``` > **Note**: For a more real life scenario see [Installing on Cloud](#2-installing-openrelik-on-cloud) for deploying OpenRelik on [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine) (GKE). @@ -63,7 +63,7 @@ minikube tunnel & ```console # Create the configuration files -cd chart +cd helm ./config.sh local # Change back to the REPO directory @@ -76,7 +76,7 @@ To install the chart, specify any release name of your choice. For example, usin ```console # Install the OpenRelik Helm chart -helm install openrelik-on-k8s ./chart -f ./chart/values.yaml +helm install openrelik-on-k8s ./helm -f ./helm/values.yaml # Verify that all the OpenRelik component pods are in 'Running' state (this might take a moment) kubectl get pods -n openrelik @@ -184,7 +184,7 @@ gcloud container clusters get-credentials $GKE_CLUSTER_NAME --zone $GKE_CLUSTER_ #### 2.2.2. Set the default values for the OpenRelik Helm chart ```console -cd $REPO/chart +cd $REPO/helm ./config.sh cloud # Change back to the REPO directory @@ -196,11 +196,11 @@ cd $REPO > **Tip**: For more details see [Filestore Multishares](https://cloud.google.com/filestore/docs/optimize-multishares) ```console -kubectl apply -f chart/templates/namespace/ns-openrelik.yaml +kubectl apply -f helm/templates/namespace/ns-openrelik.yaml -kubectl apply -f chart/filestore/sc-ms-512.yaml +kubectl apply -f helm/filestore/sc-ms-512.yaml -kubectl apply -f chart/filestore/pvc-filestore.yaml +kubectl apply -f helm/filestore/pvc-filestore.yaml # Make sure you let the Filestore creation process finish before continuing. watch -n 1 kubectl get pvc -n openrelik @@ -213,7 +213,7 @@ watch -n 1 kubectl get pvc -n openrelik #### 2.2.4. Install the Helm chart ```console -helm install openrelik-on-k8s ./chart -f ./chart/values-gcp.yaml +helm install openrelik-on-k8s ./helm -f ./helm/values-gcp.yaml ``` #### 2.2.5. Wait for all OpenRelik pods to be in 'Running' status From 133b9b6db23175e6875330982c66ac2ae2369ef2 Mon Sep 17 00:00:00 2001 From: Dan Date: Sat, 11 Jan 2025 13:09:54 +0000 Subject: [PATCH 3/5] Adds certificate provisioning status info to instructions --- helm/README.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/helm/README.md b/helm/README.md index bc036bb..6a4a971 100644 --- a/helm/README.md +++ b/helm/README.md @@ -254,7 +254,29 @@ kubectl exec -it ${SERVER_POD} -n openrelik -c openrelik-server -- \ ## 3. Connect to the UI -Run the command below and then point your browser to the displayed URL: +It will take a bit of time to provision the certificate to the load balancer that serves the OpenRelik UI. + +You can check on the status by running the following command: + +> **Note**: You can continue with the next step when the output indicates that the certificate is provisioned with ```status: ACTIVE``` + +```console +watch -n 1 gcloud compute ssl-certificates describe ${CERTIFICATE_NAME} + +# ... +# kind: compute#sslCertificate +# managed: +# status: ACTIVE +# domainStatus: +# 34-98-78-82.nip.io: ACTIVE +# openrelik.34-98-78-82.nip.io: ACTIVE +# domains: +# - 34-98-78-82.nip.io +# - openrelik.34-98-78-82.nip.io +# ... +``` + +Once the certificate is provisisoned you can run the command below and then point your browser to the displayed URL: ```console echo "https://$OPENRELIK_HOSTNAME" From 04f30ac12b7db1c86c794a086a7597a9c99e62a2 Mon Sep 17 00:00:00 2001 From: Dan Date: Sat, 11 Jan 2025 13:13:06 +0000 Subject: [PATCH 4/5] Adds certificate provisioning status info to instructions --- helm/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/helm/README.md b/helm/README.md index 6a4a971..9110b23 100644 --- a/helm/README.md +++ b/helm/README.md @@ -263,6 +263,7 @@ You can check on the status by running the following command: ```console watch -n 1 gcloud compute ssl-certificates describe ${CERTIFICATE_NAME} +# The output should look similar to the below: # ... # kind: compute#sslCertificate # managed: From 2cf23311168d20179d0d25e638bb7f64bf832d8f Mon Sep 17 00:00:00 2001 From: Dan Date: Tue, 14 Jan 2025 05:21:12 +0000 Subject: [PATCH 5/5] Reorg folder structure --- helm/README.md | 26 +++++++++---------- helm/{ => chart}/Chart.yaml | 0 helm/{ => chart}/config.sh | 0 helm/{ => chart}/filestore/pvc-filestore.yaml | 0 helm/{ => chart}/filestore/sc-ms-512.yaml | 0 helm/{ => chart}/settings_template.toml | 0 helm/{ => chart}/templates/_helpers.tpl | 0 .../templates/deployment/dpl-mediator.yaml | 0 .../templates/deployment/dpl-postgres.yaml | 0 .../templates/deployment/dpl-redis.yaml | 0 .../templates/deployment/dpl-server.yaml | 0 .../templates/deployment/dpl-ui.yaml | 0 .../dpl-worker-analyzer-config.yaml | 0 .../deployment/dpl-worker-extraction.yaml | 0 .../deployment/dpl-worker-hayabusa.yaml | 0 .../deployment/dpl-worker-plaso.yaml | 0 .../deployment/dpl-worker-strings.yaml | 0 .../templates/gateway/gw-openrelik.yaml | 0 .../templates/gateway/hc-server.yaml | 0 helm/{ => chart}/templates/gateway/hc-ui.yaml | 0 .../templates/gateway/rte-server.yaml | 0 .../{ => chart}/templates/gateway/rte-ui.yaml | 0 .../templates/namespace/ns-openrelik.yaml | 0 .../templates/secret/sec-openrelik-db.yaml | 0 .../templates/service/svc-postgres.yaml | 0 .../templates/service/svc-redis.yaml | 0 .../templates/service/svc-server.yaml | 0 .../{ => chart}/templates/service/svc-ui.yaml | 0 .../serviceaccount/sa-openrelik.yaml | 0 .../templates/volume/pvc-local.yaml | 0 .../templates/volume/pvc-postgres.yaml | 0 helm/{ => chart}/values-gcp.yaml | 0 helm/{ => chart}/values.yaml | 0 {cloud => helm/cloud}/README.md | 2 +- {cloud => helm/cloud}/main.tf | 0 {cloud => helm/cloud}/output.tf | 0 {cloud => helm/cloud}/variables.tf | 0 37 files changed, 14 insertions(+), 14 deletions(-) rename helm/{ => chart}/Chart.yaml (100%) rename helm/{ => chart}/config.sh (100%) rename helm/{ => chart}/filestore/pvc-filestore.yaml (100%) rename helm/{ => chart}/filestore/sc-ms-512.yaml (100%) rename helm/{ => chart}/settings_template.toml (100%) rename helm/{ => chart}/templates/_helpers.tpl (100%) rename helm/{ => chart}/templates/deployment/dpl-mediator.yaml (100%) rename helm/{ => chart}/templates/deployment/dpl-postgres.yaml (100%) rename helm/{ => chart}/templates/deployment/dpl-redis.yaml (100%) rename helm/{ => chart}/templates/deployment/dpl-server.yaml (100%) rename helm/{ => chart}/templates/deployment/dpl-ui.yaml (100%) rename helm/{ => chart}/templates/deployment/dpl-worker-analyzer-config.yaml (100%) rename helm/{ => chart}/templates/deployment/dpl-worker-extraction.yaml (100%) rename helm/{ => chart}/templates/deployment/dpl-worker-hayabusa.yaml (100%) rename helm/{ => chart}/templates/deployment/dpl-worker-plaso.yaml (100%) rename helm/{ => chart}/templates/deployment/dpl-worker-strings.yaml (100%) rename helm/{ => chart}/templates/gateway/gw-openrelik.yaml (100%) rename helm/{ => chart}/templates/gateway/hc-server.yaml (100%) rename helm/{ => chart}/templates/gateway/hc-ui.yaml (100%) rename helm/{ => chart}/templates/gateway/rte-server.yaml (100%) rename helm/{ => chart}/templates/gateway/rte-ui.yaml (100%) rename helm/{ => chart}/templates/namespace/ns-openrelik.yaml (100%) rename helm/{ => chart}/templates/secret/sec-openrelik-db.yaml (100%) rename helm/{ => chart}/templates/service/svc-postgres.yaml (100%) rename helm/{ => chart}/templates/service/svc-redis.yaml (100%) rename helm/{ => chart}/templates/service/svc-server.yaml (100%) rename helm/{ => chart}/templates/service/svc-ui.yaml (100%) rename helm/{ => chart}/templates/serviceaccount/sa-openrelik.yaml (100%) rename helm/{ => chart}/templates/volume/pvc-local.yaml (100%) rename helm/{ => chart}/templates/volume/pvc-postgres.yaml (100%) rename helm/{ => chart}/values-gcp.yaml (100%) rename helm/{ => chart}/values.yaml (100%) rename {cloud => helm/cloud}/README.md (98%) rename {cloud => helm/cloud}/main.tf (100%) rename {cloud => helm/cloud}/output.tf (100%) rename {cloud => helm/cloud}/variables.tf (100%) diff --git a/helm/README.md b/helm/README.md index 9110b23..bbb0282 100644 --- a/helm/README.md +++ b/helm/README.md @@ -10,7 +10,7 @@ Before we get started make sure you clone the repo onto your machine. ```console git clone https://github.com/openrelik/openrelik-deploy.git -cd openrelik-deploy +cd openrelik-deploy/helm export REPO=$(pwd) ``` @@ -24,14 +24,14 @@ minikube start minikube tunnel & # Create the configuration files -cd helm +cd chart ./config.sh local # Change back to the REPO directory cd $REPO # Install the OpenRelik Helm chart -helm install openrelik-on-k8s ./helm -f ./helm/values.yaml +helm install openrelik-on-k8s ./chart -f ./chart/values.yaml ``` > **Note**: For a more real life scenario see [Installing on Cloud](#2-installing-openrelik-on-cloud) for deploying OpenRelik on [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine) (GKE). @@ -63,7 +63,7 @@ minikube tunnel & ```console # Create the configuration files -cd helm +cd chart ./config.sh local # Change back to the REPO directory @@ -76,7 +76,7 @@ To install the chart, specify any release name of your choice. For example, usin ```console # Install the OpenRelik Helm chart -helm install openrelik-on-k8s ./helm -f ./helm/values.yaml +helm install openrelik-on-k8s ./chart -f ./chart/values.yaml # Verify that all the OpenRelik component pods are in 'Running' state (this might take a moment) kubectl get pods -n openrelik @@ -138,13 +138,13 @@ For this you could consider installing OpenRelik on a managed Kubernetes cluster ### 2.1. GKE Installation Before we can install OpenRelik we need to provision a GKE cluster and its related infrastructure. -The quickest way to provision a ready to run environment on Google Cloud is by following the steps in these [installation instructions](../cloud/README.md). +The quickest way to provision a ready to run environment on Google Cloud is by following the steps in these [installation instructions](./cloud/README.md). We recommend that you start with cloning this repo again to avoid carrying over any configurations from the minikube based instructions above. ```console git clone https://github.com/google/openrelik-deploy.git -cd openrelik-deploy +cd openrelik-deploy/helm export REPO=$(pwd) ``` @@ -153,7 +153,7 @@ Once you have provisioned your infrastructure you can continue with the instruct ### 2.2. Installing OpenRelik on GKE In case you followed the Google Cloud environment installation instructions you should already have the following environment variables configured. -Otherwise, either run the [installation instruction step](../cloud/README.md#22-capture-environment-variables-for-later-use) again or set the environment variables to values that match your setup. +Otherwise, either run the [installation instruction step](./cloud/README.md#22-capture-environment-variables-for-later-use) again or set the environment variables to values that match your setup. You can check that they have a value assigned by running the commands below. ```console @@ -184,7 +184,7 @@ gcloud container clusters get-credentials $GKE_CLUSTER_NAME --zone $GKE_CLUSTER_ #### 2.2.2. Set the default values for the OpenRelik Helm chart ```console -cd $REPO/helm +cd $REPO/chart ./config.sh cloud # Change back to the REPO directory @@ -196,11 +196,11 @@ cd $REPO > **Tip**: For more details see [Filestore Multishares](https://cloud.google.com/filestore/docs/optimize-multishares) ```console -kubectl apply -f helm/templates/namespace/ns-openrelik.yaml +kubectl apply -f chart/templates/namespace/ns-openrelik.yaml -kubectl apply -f helm/filestore/sc-ms-512.yaml +kubectl apply -f chart/filestore/sc-ms-512.yaml -kubectl apply -f helm/filestore/pvc-filestore.yaml +kubectl apply -f chart/filestore/pvc-filestore.yaml # Make sure you let the Filestore creation process finish before continuing. watch -n 1 kubectl get pvc -n openrelik @@ -213,7 +213,7 @@ watch -n 1 kubectl get pvc -n openrelik #### 2.2.4. Install the Helm chart ```console -helm install openrelik-on-k8s ./helm -f ./helm/values-gcp.yaml +helm install openrelik-on-k8s ./chart -f ./chart/values-gcp.yaml ``` #### 2.2.5. Wait for all OpenRelik pods to be in 'Running' status diff --git a/helm/Chart.yaml b/helm/chart/Chart.yaml similarity index 100% rename from helm/Chart.yaml rename to helm/chart/Chart.yaml diff --git a/helm/config.sh b/helm/chart/config.sh similarity index 100% rename from helm/config.sh rename to helm/chart/config.sh diff --git a/helm/filestore/pvc-filestore.yaml b/helm/chart/filestore/pvc-filestore.yaml similarity index 100% rename from helm/filestore/pvc-filestore.yaml rename to helm/chart/filestore/pvc-filestore.yaml diff --git a/helm/filestore/sc-ms-512.yaml b/helm/chart/filestore/sc-ms-512.yaml similarity index 100% rename from helm/filestore/sc-ms-512.yaml rename to helm/chart/filestore/sc-ms-512.yaml diff --git a/helm/settings_template.toml b/helm/chart/settings_template.toml similarity index 100% rename from helm/settings_template.toml rename to helm/chart/settings_template.toml diff --git a/helm/templates/_helpers.tpl b/helm/chart/templates/_helpers.tpl similarity index 100% rename from helm/templates/_helpers.tpl rename to helm/chart/templates/_helpers.tpl diff --git a/helm/templates/deployment/dpl-mediator.yaml b/helm/chart/templates/deployment/dpl-mediator.yaml similarity index 100% rename from helm/templates/deployment/dpl-mediator.yaml rename to helm/chart/templates/deployment/dpl-mediator.yaml diff --git a/helm/templates/deployment/dpl-postgres.yaml b/helm/chart/templates/deployment/dpl-postgres.yaml similarity index 100% rename from helm/templates/deployment/dpl-postgres.yaml rename to helm/chart/templates/deployment/dpl-postgres.yaml diff --git a/helm/templates/deployment/dpl-redis.yaml b/helm/chart/templates/deployment/dpl-redis.yaml similarity index 100% rename from helm/templates/deployment/dpl-redis.yaml rename to helm/chart/templates/deployment/dpl-redis.yaml diff --git a/helm/templates/deployment/dpl-server.yaml b/helm/chart/templates/deployment/dpl-server.yaml similarity index 100% rename from helm/templates/deployment/dpl-server.yaml rename to helm/chart/templates/deployment/dpl-server.yaml diff --git a/helm/templates/deployment/dpl-ui.yaml b/helm/chart/templates/deployment/dpl-ui.yaml similarity index 100% rename from helm/templates/deployment/dpl-ui.yaml rename to helm/chart/templates/deployment/dpl-ui.yaml diff --git a/helm/templates/deployment/dpl-worker-analyzer-config.yaml b/helm/chart/templates/deployment/dpl-worker-analyzer-config.yaml similarity index 100% rename from helm/templates/deployment/dpl-worker-analyzer-config.yaml rename to helm/chart/templates/deployment/dpl-worker-analyzer-config.yaml diff --git a/helm/templates/deployment/dpl-worker-extraction.yaml b/helm/chart/templates/deployment/dpl-worker-extraction.yaml similarity index 100% rename from helm/templates/deployment/dpl-worker-extraction.yaml rename to helm/chart/templates/deployment/dpl-worker-extraction.yaml diff --git a/helm/templates/deployment/dpl-worker-hayabusa.yaml b/helm/chart/templates/deployment/dpl-worker-hayabusa.yaml similarity index 100% rename from helm/templates/deployment/dpl-worker-hayabusa.yaml rename to helm/chart/templates/deployment/dpl-worker-hayabusa.yaml diff --git a/helm/templates/deployment/dpl-worker-plaso.yaml b/helm/chart/templates/deployment/dpl-worker-plaso.yaml similarity index 100% rename from helm/templates/deployment/dpl-worker-plaso.yaml rename to helm/chart/templates/deployment/dpl-worker-plaso.yaml diff --git a/helm/templates/deployment/dpl-worker-strings.yaml b/helm/chart/templates/deployment/dpl-worker-strings.yaml similarity index 100% rename from helm/templates/deployment/dpl-worker-strings.yaml rename to helm/chart/templates/deployment/dpl-worker-strings.yaml diff --git a/helm/templates/gateway/gw-openrelik.yaml b/helm/chart/templates/gateway/gw-openrelik.yaml similarity index 100% rename from helm/templates/gateway/gw-openrelik.yaml rename to helm/chart/templates/gateway/gw-openrelik.yaml diff --git a/helm/templates/gateway/hc-server.yaml b/helm/chart/templates/gateway/hc-server.yaml similarity index 100% rename from helm/templates/gateway/hc-server.yaml rename to helm/chart/templates/gateway/hc-server.yaml diff --git a/helm/templates/gateway/hc-ui.yaml b/helm/chart/templates/gateway/hc-ui.yaml similarity index 100% rename from helm/templates/gateway/hc-ui.yaml rename to helm/chart/templates/gateway/hc-ui.yaml diff --git a/helm/templates/gateway/rte-server.yaml b/helm/chart/templates/gateway/rte-server.yaml similarity index 100% rename from helm/templates/gateway/rte-server.yaml rename to helm/chart/templates/gateway/rte-server.yaml diff --git a/helm/templates/gateway/rte-ui.yaml b/helm/chart/templates/gateway/rte-ui.yaml similarity index 100% rename from helm/templates/gateway/rte-ui.yaml rename to helm/chart/templates/gateway/rte-ui.yaml diff --git a/helm/templates/namespace/ns-openrelik.yaml b/helm/chart/templates/namespace/ns-openrelik.yaml similarity index 100% rename from helm/templates/namespace/ns-openrelik.yaml rename to helm/chart/templates/namespace/ns-openrelik.yaml diff --git a/helm/templates/secret/sec-openrelik-db.yaml b/helm/chart/templates/secret/sec-openrelik-db.yaml similarity index 100% rename from helm/templates/secret/sec-openrelik-db.yaml rename to helm/chart/templates/secret/sec-openrelik-db.yaml diff --git a/helm/templates/service/svc-postgres.yaml b/helm/chart/templates/service/svc-postgres.yaml similarity index 100% rename from helm/templates/service/svc-postgres.yaml rename to helm/chart/templates/service/svc-postgres.yaml diff --git a/helm/templates/service/svc-redis.yaml b/helm/chart/templates/service/svc-redis.yaml similarity index 100% rename from helm/templates/service/svc-redis.yaml rename to helm/chart/templates/service/svc-redis.yaml diff --git a/helm/templates/service/svc-server.yaml b/helm/chart/templates/service/svc-server.yaml similarity index 100% rename from helm/templates/service/svc-server.yaml rename to helm/chart/templates/service/svc-server.yaml diff --git a/helm/templates/service/svc-ui.yaml b/helm/chart/templates/service/svc-ui.yaml similarity index 100% rename from helm/templates/service/svc-ui.yaml rename to helm/chart/templates/service/svc-ui.yaml diff --git a/helm/templates/serviceaccount/sa-openrelik.yaml b/helm/chart/templates/serviceaccount/sa-openrelik.yaml similarity index 100% rename from helm/templates/serviceaccount/sa-openrelik.yaml rename to helm/chart/templates/serviceaccount/sa-openrelik.yaml diff --git a/helm/templates/volume/pvc-local.yaml b/helm/chart/templates/volume/pvc-local.yaml similarity index 100% rename from helm/templates/volume/pvc-local.yaml rename to helm/chart/templates/volume/pvc-local.yaml diff --git a/helm/templates/volume/pvc-postgres.yaml b/helm/chart/templates/volume/pvc-postgres.yaml similarity index 100% rename from helm/templates/volume/pvc-postgres.yaml rename to helm/chart/templates/volume/pvc-postgres.yaml diff --git a/helm/values-gcp.yaml b/helm/chart/values-gcp.yaml similarity index 100% rename from helm/values-gcp.yaml rename to helm/chart/values-gcp.yaml diff --git a/helm/values.yaml b/helm/chart/values.yaml similarity index 100% rename from helm/values.yaml rename to helm/chart/values.yaml diff --git a/cloud/README.md b/helm/cloud/README.md similarity index 98% rename from cloud/README.md rename to helm/cloud/README.md index 35ed2e3..ae59c53 100644 --- a/cloud/README.md +++ b/helm/cloud/README.md @@ -98,7 +98,7 @@ export ENABLE_GCP=true ## 3. Installing OpenRelik on GKE -You can continue with the instructions for [installing OpenRelik on GKE](../helm/README.md#22-installing-openrelik-on-gke). +You can continue with the instructions for [installing OpenRelik on GKE](../README.md#22-installing-openrelik-on-gke). ## 4. Cleaning up diff --git a/cloud/main.tf b/helm/cloud/main.tf similarity index 100% rename from cloud/main.tf rename to helm/cloud/main.tf diff --git a/cloud/output.tf b/helm/cloud/output.tf similarity index 100% rename from cloud/output.tf rename to helm/cloud/output.tf diff --git a/cloud/variables.tf b/helm/cloud/variables.tf similarity index 100% rename from cloud/variables.tf rename to helm/cloud/variables.tf