Skip to content

RHEcosystemAppEng/exploit-iq-operator

Repository files navigation

RHTPA exploit intelligence operator

The RHTPA exploit intelligence operator automates the deployment and lifecycle management of the RHTPA exploit intelligence stack on Red Hat OpenShift clusters.

Components

The operator manages the following components:

  • Cache: Reverse proxy and cache for external APIs (NVD, GitHub, FIRST, NVIDIA NIM, OpenAI)
  • Engine: Primary vulnerability analysis engine
  • WebApp: Quarkus-based UI and API

Database: RHTPA exploit intelligence requires a MongoDB instance for data persistence. The operator does not provision MongoDB — you must create the database separately and configure the connection before deploying the stack.

Prerequisites

Cluster requirements

  • OpenShift: Version 4.16 or later
  • Persistent storage (default storage class configured)
  • Cluster-admin privileges

API keys

Obtain the following credentials before you begin. You will use these in Step 3: Configure secrets.

Key Description Where to get it
ghsa_api_key GitHub Personal Access Token for the GitHub Security Advisory API github.com/settings/tokens — generate a new fine-grained token
nvidia_api_key NVIDIA NGC API key org.ngc.nvidia.com
ngc_api_key NVIDIA NGC organization key org.ngc.nvidia.com
nvd_api_key National Vulnerability Database API key nvd.nist.gov/developers/request-an-api-key
serpapi_api_key SerpAPI key for web search serpapi.com/manage-api-key
registry_redhat_username Red Hat registry service account username access.redhat.com/terms-based-registry
registry_redhat_password Red Hat registry service account token access.redhat.com/terms-based-registry

For a MongoDB instance, see Connecting to MongoDB.

Installation

Step 1: Install the operator

Navigate to Operators → OperatorHub or Ecosystem → Software Catalog and search for RHTPA exploit intelligence, then click Install.

Wait for the operator to become ready. The namespace depends on the install mode selected during installation (for example, openshift-operators for all-namespaces mode):

oc get csv -n <operator-namespace> | grep exploit-iq-operator

Step 2: Create a project

oc new-project exploit-iq

Step 3: Configure secrets

API keys

oc create secret generic exploit-iq-secret \
  --from-literal=ghsa_api_key="<YOUR_GITHUB_TOKEN>" \
  --from-literal=nvidia_api_key="<YOUR_NVIDIA_KEY>" \
  --from-literal=ngc_api_key="<YOUR_NGC_KEY>" \
  --from-literal=nvd_api_key="<YOUR_NVD_KEY>" \
  --from-literal=serpapi_api_key="<YOUR_SERPAPI_KEY>" \
  --from-literal=registry_redhat_username="<YOUR_RH_REGISTRY_USERNAME>" \
  --from-literal=registry_redhat_password="<YOUR_RH_REGISTRY_PASSWORD>"

Red Hat registry credentials

Download the pull secret file from your registry service account, then run:

oc create secret generic image-registry-credentials \
  --from-file=.dockerconfigjson=<path-to-pull-secret.json> \
  --type=kubernetes.io/dockerconfigjson

MongoDB connection

Mode A — host and port:

oc create secret generic mongodb-credentials \
  --from-literal=host="<your-host>:27017" \
  --from-literal=username="<app-username>" \
  --from-literal=password="<app-password>"

Mode B — connection string (Atlas or SRV):

oc create secret generic mongodb-credentials \
  --from-literal=connection-string="mongodb+srv://<user>:<password>@<cluster>/"

OAuth client secret (optional)

The operator generates a random OAuth client secret automatically. To provide your own:

export OAUTH_CLIENT_SECRET=$(openssl rand -base64 32)
export OPENSHIFT_DOMAIN=$(oc get dns cluster -o jsonpath='{.spec.baseDomain}')

oc create secret generic oauth-client-secret \
  --from-literal=client-secret="$OAUTH_CLIENT_SECRET" \
  --from-literal=openshift-domain="$OPENSHIFT_DOMAIN"

Step 4: Deploy the stack

Create an ExploitIQStack instance:

Important: The sample CR file is an example only. You must review and verify that the secret names in the file match the secrets you created in Step 3 before applying it.

oc apply -f config/samples/exploitiq_v1alpha1_exploitiqstack.yaml

Example CR:

apiVersion: exploitiq.openshift.io/v1alpha1
kind: ExploitIQStack
metadata:
  name: exploit-iq
spec:
  webApp:
    registryCredentialsSecretRef:
      name: image-registry-credentials
  database:
    mode: hostPort       # or: connectionString (see Step 3 — MongoDB connection)
    secretRef:
      name: mongodb-credentials

Monitor progress:

oc get exploitiqstack exploit-iq -w

Step 5: Post-deployment tasks

After the stack is running, grant users access by adding them to the exploit-iq-view group:

oc adm groups new exploit-iq-view
oc adm groups add-users exploit-iq-view <username>

For additional post-deployment options, see the kustomize deployment guide.

Uninstalling

Delete the stack instance:

oc delete exploitiqstack --all -n <namespace>

Uninstall the operator from Operators → Installed Operators in the web console.

Additional resources

About

No description, website, or topics provided.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors