The RHTPA exploit intelligence operator automates the deployment and lifecycle management of the RHTPA exploit intelligence stack on Red Hat OpenShift clusters.
The operator manages the following components:
- Cache: Reverse proxy and cache for external APIs (NVD, GitHub, FIRST, NVIDIA NIM, OpenAI)
- Engine: Primary vulnerability analysis engine
- WebApp: Quarkus-based UI and API
Database: RHTPA exploit intelligence requires a MongoDB instance for data persistence. The operator does not provision MongoDB — you must create the database separately and configure the connection before deploying the stack.
- OpenShift: Version 4.16 or later
- Persistent storage (default storage class configured)
- Cluster-admin privileges
Obtain the following credentials before you begin. You will use these in Step 3: Configure secrets.
| Key | Description | Where to get it |
|---|---|---|
ghsa_api_key |
GitHub Personal Access Token for the GitHub Security Advisory API | github.com/settings/tokens — generate a new fine-grained token |
nvidia_api_key |
NVIDIA NGC API key | org.ngc.nvidia.com |
ngc_api_key |
NVIDIA NGC organization key | org.ngc.nvidia.com |
nvd_api_key |
National Vulnerability Database API key | nvd.nist.gov/developers/request-an-api-key |
serpapi_api_key |
SerpAPI key for web search | serpapi.com/manage-api-key |
registry_redhat_username |
Red Hat registry service account username | access.redhat.com/terms-based-registry |
registry_redhat_password |
Red Hat registry service account token | access.redhat.com/terms-based-registry |
For a MongoDB instance, see Connecting to MongoDB.
Navigate to Operators → OperatorHub or Ecosystem → Software Catalog and search for RHTPA exploit intelligence, then click Install.
Wait for the operator to become ready. The namespace depends on the install mode selected during installation (for example, openshift-operators for all-namespaces mode):
oc get csv -n <operator-namespace> | grep exploit-iq-operatoroc new-project exploit-iqoc create secret generic exploit-iq-secret \
--from-literal=ghsa_api_key="<YOUR_GITHUB_TOKEN>" \
--from-literal=nvidia_api_key="<YOUR_NVIDIA_KEY>" \
--from-literal=ngc_api_key="<YOUR_NGC_KEY>" \
--from-literal=nvd_api_key="<YOUR_NVD_KEY>" \
--from-literal=serpapi_api_key="<YOUR_SERPAPI_KEY>" \
--from-literal=registry_redhat_username="<YOUR_RH_REGISTRY_USERNAME>" \
--from-literal=registry_redhat_password="<YOUR_RH_REGISTRY_PASSWORD>"Download the pull secret file from your registry service account, then run:
oc create secret generic image-registry-credentials \
--from-file=.dockerconfigjson=<path-to-pull-secret.json> \
--type=kubernetes.io/dockerconfigjsonMode A — host and port:
oc create secret generic mongodb-credentials \
--from-literal=host="<your-host>:27017" \
--from-literal=username="<app-username>" \
--from-literal=password="<app-password>"Mode B — connection string (Atlas or SRV):
oc create secret generic mongodb-credentials \
--from-literal=connection-string="mongodb+srv://<user>:<password>@<cluster>/"The operator generates a random OAuth client secret automatically. To provide your own:
export OAUTH_CLIENT_SECRET=$(openssl rand -base64 32)
export OPENSHIFT_DOMAIN=$(oc get dns cluster -o jsonpath='{.spec.baseDomain}')
oc create secret generic oauth-client-secret \
--from-literal=client-secret="$OAUTH_CLIENT_SECRET" \
--from-literal=openshift-domain="$OPENSHIFT_DOMAIN"Create an ExploitIQStack instance:
Important: The sample CR file is an example only. You must review and verify that the secret names in the file match the secrets you created in Step 3 before applying it.
oc apply -f config/samples/exploitiq_v1alpha1_exploitiqstack.yamlExample CR:
apiVersion: exploitiq.openshift.io/v1alpha1
kind: ExploitIQStack
metadata:
name: exploit-iq
spec:
webApp:
registryCredentialsSecretRef:
name: image-registry-credentials
database:
mode: hostPort # or: connectionString (see Step 3 — MongoDB connection)
secretRef:
name: mongodb-credentialsMonitor progress:
oc get exploitiqstack exploit-iq -wAfter the stack is running, grant users access by adding them to the exploit-iq-view group:
oc adm groups new exploit-iq-view
oc adm groups add-users exploit-iq-view <username>For additional post-deployment options, see the kustomize deployment guide.
Delete the stack instance:
oc delete exploitiqstack --all -n <namespace>Uninstall the operator from Operators → Installed Operators in the web console.